Web Application Security and Risks

Source: Internet
Author: User
Keywords application security web application security web application security risks
Web application development history
From 1.0 to 3.0 era, 1.0 HTML server client is the same, 2.0 interactive has a database, 3.0 can realize the functions of complex system programs in the browser, and users can use their own data on many websites.
Static content HTML CGI program stage (API interface added, dynamic) Script language stage (ASP, PHP, JSP, etc.)
Thin client stage (application server WebMVC independent of the Web server)

RIA (DHTML+Ajax can be changed without refresh function) Mobile Web Android IOS

Web application advantages
1. http is the core communication protocol used to access the World Wide Web. It is lightweight, does not need to be connected, and has fault tolerance. The client server does not need to open network connections to every user.
2. The browser is powerful and rich in content, and all applications are completed by the client script function
3. Development is relatively simple

Web application security
(disadvantages)
Examples of vulnerabilities
Imperfect identity verification measures
Defects in the login mechanism, simple passwords can be brute force cracked to avoid login

Incomplete access control measures
Applications cannot provide protection for data and functions, attackers can view sensitive information in the server,
Perform privileged operations

SQL injection
Submit specially designed input, interfere with the interaction between the application and the back-end data bureau, extract information from the database, and destroy the logical structure

Cross-site scripting XSS
Can attack other users and access information

Information leakage
Application leaks sensitive information

Cross-site request forgery (CSRF)
Induce users to unintentionally use their user permissions to perform operations on the application

the core issue
The user can interfere with the data transmitted between the client and the server
Request parameter
cookie
HTTP header
Can easily avoid the security controls executed by the client, such as input confirmation verification

Users can send requests in any order
Different stages beyond requirements
Submit more than once
Never submit
User actions may have many different assumptions about the way developers interact with the application

Not limited to accessing applications with one web browser, there are many attack tools
Browser independent
Embedded in the browser
Able to make requests that cannot be submitted by ordinary browsers, quickly generate a large number of requests, and find and use security issues

For example
Change the price of products submitted in hidden HTML form fields
Modify the session token transmitted in the http cookie to hijack another authenticated user's session
Use logic errors during application processing to delete some normally submitted parameters
Change the processing of an input by the back-end database, thereby injecting a malicious database query to access sensitive data

summary
The application using SSL only means that other users of the network cannot view and modify the data sent by the attacker
SSL cannot prevent attackers from submitting specially designed input to the server
The attacker controls the SSL channel terminal and can send any content to the server

New security boundary
Before web applications appeared
It mainly defends against external attacks on the network boundary. To protect this boundary requires enhanced patching and firewall

After the web application appeared
For users to access the application, the border firewall must allow it to connect to the internal server through HTTP/HTTPS. To realize its function, the application must allow it to connect to the server to support the back-end system
database
Mainframe
Financial and Logistics System

If there are loopholes, as long as the specially designed data is submitted, the core back-end system of the parent-in-law organization can be used. These data are like normal and benign data flows, penetrating all defenses of the organization
Therefore, defense measures must be implemented within the application. Third-party widgets and many cross-domain integration technologies allow the server-side security boundary to cross the boundary of the organization itself.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.