Web Application Security

Master web application security fundamentals, OWASP Top 10 vulnerabilities, and modern defense strategies for secure web development.

OWASP Top 10
Injection Attacks
Authentication
Data Protection

OWASP Top 10 Web Application Security Risks

The most critical web application security vulnerabilities that developers and security professionals must understand.

A01:2021 - Broken Access Control

Access control enforces policy such that users cannot act outside of their intended permissions.

Common Vulnerabilities:

  • • Insecure direct object references (IDOR)
  • • Missing access controls on API endpoints
  • • Privilege escalation through parameter manipulation
  • • CORS misconfiguration

A02:2021 - Cryptographic Failures

Failures related to cryptography which often lead to exposure of sensitive data.

Common Issues:

  • • Weak encryption algorithms (MD5, SHA1)
  • • Hardcoded encryption keys
  • • Insufficient entropy for random values
  • • Missing TLS/SSL implementation

A03:2021 - Injection

Application failures related to untrusted data being sent to an interpreter as part of a command or query.

Types of Injection:

  • • SQL Injection (SQLi)
  • • NoSQL Injection
  • • Command Injection
  • • LDAP Injection
  • • XPath Injection

A04:2021 - Insecure Design

Flaws in design and architecture that cannot be fixed by proper implementation.

Design Flaws:

  • • Missing threat modeling
  • • Insecure default configurations
  • • Lack of security controls
  • • Poor session management design

A05:2021 - Security Misconfiguration

Improperly configured permissions on cloud services, unnecessary features enabled, default accounts.

Common Misconfigurations:

  • • Default credentials not changed
  • • Debug mode enabled in production
  • • Unnecessary services running
  • • Missing security headers

A06:2021 - Vulnerable Components

Using components with known vulnerabilities, including OS, web/application server, database management systems.

Risk Factors:

  • • Outdated libraries and frameworks
  • • Unpatched systems
  • • Known vulnerable dependencies
  • • Lack of vulnerability scanning

Injection Attacks Deep Dive

Understanding and defending against various types of injection attacks.

SQL Injection (SQLi)

SQL injection occurs when untrusted user input is directly concatenated into SQL queries.

Vulnerable Code Example:

// VULNERABLE String query = "SELECT * FROM users WHERE id = " + userId; ResultSet rs = stmt.executeQuery(query);

Secure Code Example:

// SECURE - Using Prepared Statements String query = "SELECT * FROM users WHERE id = ?"; PreparedStatement pstmt = conn.prepareStatement(query); pstmt.setString(1, userId); ResultSet rs = pstmt.executeQuery();

Common Attack Payloads:

  • ' OR '1'='1
  • '; DROP TABLE users; --
  • ' UNION SELECT * FROM passwords --

Command Injection

Command injection allows attackers to execute arbitrary commands on the host operating system.

Vulnerable Code Example:

// VULNERABLE String command = "ping " + userInput; Process p = Runtime.getRuntime().exec(command);

Secure Code Example:

// SECURE - Input validation and escaping if (!userInput.matches("^[0-9.]+$")) { throw new SecurityException("Invalid input"); } String command = "ping " + userInput; Process p = Runtime.getRuntime().exec(command);

Common Attack Payloads:

  • 127.0.0.1; cat /etc/passwd
  • 127.0.0.1 && whoami
  • 127.0.0.1 | netstat -an

Authentication & Authorization

Implementing secure authentication and authorization mechanisms.

Password Security

Best Practices:

  • • Use strong password policies
  • • Implement password hashing (bcrypt, Argon2)
  • • Add salt to password hashes
  • • Implement account lockout policies
  • • Use multi-factor authentication (MFA)

Session Management

Security Measures:

  • • Use secure session tokens
  • • Implement session timeout
  • • Regenerate session IDs after login
  • • Store sessions securely
  • • Implement CSRF protection

OAuth 2.0 & OpenID Connect

Implementation:

  • • Use authorization code flow
  • • Validate tokens properly
  • • Implement PKCE for mobile apps
  • • Use HTTPS for all communications
  • • Store tokens securely

Security Headers & Best Practices

Essential security headers and configurations for web applications.

Essential Security Headers:

Content-Security-Policy

Prevents XSS attacks by controlling resource loading

default-src 'self'; script-src 'self'
X-Frame-Options

Prevents clickjacking attacks

DENY
X-Content-Type-Options

Prevents MIME type sniffing

nosniff
Strict-Transport-Security

Enforces HTTPS connections

max-age=31536000; includeSubDomains

Additional Security Measures:

Input Validation

Validate and sanitize all user inputs

Output Encoding

Encode output to prevent XSS

Error Handling

Don't expose sensitive information in errors

Logging & Monitoring

Implement comprehensive logging