Web application security
At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.
With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to drive-by downloading.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. According the security vendor Cenzic, the top vulnerabilities in March 2012 include:
- Cross Site Scripting, 37%
- SQL Injection, 16%
- PHP Injection,
- Path Disclosure, 5%
- Denial of Service, 5%
- Code Execution, 4%
- Memory Corruption, 4%
- Cross Site Request Forgery, 4%
- Information Disclosure, 3%
- Arbitrary File, 3%
- Local File Include, 2%
- Remote File Include, 1%
- Overflow 1%
- Other, 15%
OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database and also produced open source best practice documents on Web application security.
While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:
- Black Box testing tools such as Web application security scanners, vulnerability scanners and penetration testing software
- White Box testing tools such as static source code analyzers
- Fuzzing Tools used for input testing
- Web application firewalls (WAF) used to provide firewall-type protection at the web application layer
- Password cracking tools for testing password strength and implementation
- Application service architecture (ASA)
- w3af a free open-source web application security scanner
- OWASP Open Web Application Security Project
- Web application security scanner
- "The Ghost in the Browser". Niels Provos et al. May 2007.
- "All Your iFrames Point to Us". Niels Provos et al. February 2008.
- "Improving Web Application Security: Threats and Countermeasures". Microsoft Corporation. June 2003.
- "Microsoft fortifies IE8 against new XSS exploits". Dan Goodin, The Register. February 2009.
- "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks". Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007.
- "CWE/SANS Top 25 Most Dangerous Programming Errors". CWE/SANS. May 2009.
- "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012.
- "The Web Hacking Incidents Database". WASC. January 2010.
- "Web Application Vulnerability Scanners". NIST.
- "Source Code Security Analyzers". NIST.
- "Fuzzing". OWASP.
- "Web application firewalls for security and regulatory compliance". Secure Computing Magazine. February 2008.