Web application
development history
From 1.0 to 3.0 era, 1.0 HTML server client is the same, 2.0 interactive has a database, 3.0 can realize the functions of complex system programs in the browser, and users can use their own data on many websites.
Static content HTML CGI program stage (API interface added, dynamic) Script language stage (ASP, PHP, JSP, etc.)
Thin client stage (application server WebMVC independent of the Web server)
RIA (DHTML+Ajax can be changed without refresh function) Mobile Web Android IOS
Web application advantages
1. http is the core communication protocol used to access the World Wide Web. It is lightweight, does not need to be connected, and has fault tolerance. The client server does not need to open network connections to every user.
2. The browser is powerful and rich in content, and all applications are completed by the client script function
3. Development is relatively simple
Web application security (disadvantages)
Examples of vulnerabilities
Imperfect identity verification measures
Defects in the login mechanism, simple passwords can be brute force cracked to avoid login
Incomplete access control measures
Applications cannot provide protection for data and functions, attackers can view sensitive information in the server,
Perform privileged operations
SQL injection
Submit specially designed input, interfere with the interaction between the application and the back-end data bureau, extract information from the database, and destroy the logical structure
Cross-site scripting XSS
Can attack other users and access information
Information leakage
Application leaks sensitive information
Cross-site request forgery (CSRF)
Induce users to unintentionally use their user permissions to perform operations on the application
the core issue
The user can interfere with the data transmitted between the client and the server
Request parameter
cookie
HTTP header
Can easily avoid the security controls executed by the client, such as input confirmation verification
Users can send requests in any order
Different stages beyond requirements
Submit more than once
Never submit
User actions may have many different assumptions about the way developers interact with the application
Not limited to accessing applications with one web browser, there are many attack tools
Browser independent
Embedded in the browser
Able to make requests that cannot be submitted by ordinary browsers, quickly generate a large number of requests, and find and use security issues
For example
Change the price of products submitted in hidden HTML form fields
Modify the session token transmitted in the http cookie to hijack another authenticated user's session
Use logic errors during application processing to delete some normally submitted parameters
Change the processing of an input by the back-end database, thereby injecting a malicious database query to access sensitive data
summary
The application using SSL only means that other users of the network cannot view and modify the data sent by the attacker
SSL cannot prevent attackers from submitting specially designed input to the server
The attacker controls the SSL channel terminal and can send any content to the server
New security boundary
Before web applications appeared
It mainly defends against external attacks on the network boundary. To protect this boundary requires enhanced patching and firewall
After the web application appeared
For users to access the application, the border firewall must allow it to connect to the internal server through HTTP/HTTPS. To realize its function, the application must allow it to connect to the server to support the back-end system
database
Mainframe
Financial and Logistics System
If there are loopholes, as long as the specially designed data is submitted, the core back-end system of the parent-in-law organization can be used. These data are like normal and benign data flows, penetrating all defenses of the organization
Therefore, defense measures must be implemented within the application. Third-party widgets and many cross-domain integration technologies allow the server-side security boundary to cross the boundary of the organization itself.
