What Is Web Application Security and How Does It Work?
VerifiedAdded on 2022/08/20
|9
|1856
|13
Assignment
AI Summary
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: WEB APPLICATION SECURITY
WEB APPLICATION SECURITY
Name of the Student
Name of the university
Author Note
WEB APPLICATION SECURITY
Name of the Student
Name of the university
Author Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Introduction......................................................................................................................................2
Different types of web server attacks..............................................................................................2
Security best practices.....................................................................................................................4
Recommendation.............................................................................................................................5
References........................................................................................................................................7
Introduction......................................................................................................................................2
Different types of web server attacks..............................................................................................2
Security best practices.....................................................................................................................4
Recommendation.............................................................................................................................5
References........................................................................................................................................7
Introduction
Webservers hosts the resources for the websites for an organizations which have public
domains and IP addresses. The Internet is connected worldwide and it’s an open platform. An
open and unsecure websites attacks the unwanted guests as hackers. A normal websites stores
critical information of the organization and users. To prevent the attacks by the hackers or other
security issues, web security is an important aspect of the web server hosting (Almi 2014). The
whole websites depend on the both the front end application and its server systems. In this report,
different types of web servers attacks is discussed along with the best practices to keep the
critical and personal data safe. It also discusses the global solution for web hosting for the
organizations.
Different types of web server attacks
Webservers are the computers running on an operating system to host the websites. The
servers are connected to the backend database and various front end applications. Any
compromise in the backend, OS or application can attract the attacks on web server. Several type
of web server attacks are mentioned and described below:
i. SQL Injection: SQL injection are the attack that aims the database to alter or extract data
from the databases. Hacker hide a SQL query with parameters in a URL which is fed to
the users to get access from them. The stored procedures can also be triggered using SQL
injection attack (Qian et al. 2015). It is the most harmful and effective attacks on the
webservers. Data stealth and breach are the most common results of the SQL injection
attacks.
Webservers hosts the resources for the websites for an organizations which have public
domains and IP addresses. The Internet is connected worldwide and it’s an open platform. An
open and unsecure websites attacks the unwanted guests as hackers. A normal websites stores
critical information of the organization and users. To prevent the attacks by the hackers or other
security issues, web security is an important aspect of the web server hosting (Almi 2014). The
whole websites depend on the both the front end application and its server systems. In this report,
different types of web servers attacks is discussed along with the best practices to keep the
critical and personal data safe. It also discusses the global solution for web hosting for the
organizations.
Different types of web server attacks
Webservers are the computers running on an operating system to host the websites. The
servers are connected to the backend database and various front end applications. Any
compromise in the backend, OS or application can attract the attacks on web server. Several type
of web server attacks are mentioned and described below:
i. SQL Injection: SQL injection are the attack that aims the database to alter or extract data
from the databases. Hacker hide a SQL query with parameters in a URL which is fed to
the users to get access from them. The stored procedures can also be triggered using SQL
injection attack (Qian et al. 2015). It is the most harmful and effective attacks on the
webservers. Data stealth and breach are the most common results of the SQL injection
attacks.
ii. Brute Force: Brute Force uses the all type of permutation and combination to crack the
username and password of a user. All the possible iterations are checked which can
effectively crack a weak password (Arzhakov and Silnov 2016). This is basic type of web
server attack. The chance of the brute force attack gets high when there is only password
authentication.
iii. URL Interpretation: In this type of attack, poisoned URL is used in place of the right
URL by manipulating it. The semantics of the URL is changed except the syntax. The
poisoned URL is clicked by the user unknowingly and it retrieves information from the
web server.
iv. Input Validation: Input validation is type of attack where hacker injects a code that is
executed by the web server (Cao et al. 2015). The inputs are validated before the
execution generally. However after the input validation attack, inputs are not validated
and information is retrievable by the hacker.
v. Buffer Overflow: Buffer overflow are the attacks where the hackers deliberately
overflow the memory available to the users input. In this scenario the application runs out
of the memory to input data fed by the user. The overflow is made by inputting the
arbitrary data. It is similar to the denial of service attack.
vi. Denial of Service: Denial of Service is an attack where the server denies the service to
the user on the request (Yu 2014). It is most effective and popular form of attacking web
servers. The hacker gets access to the network and immediately exploit the web servers.
vii. Session hijacking: Web Servers run on HTTP protocol where the application has the
states. Due to Poor mechanism of the states, the hijacking becomes easy for the hackers.
username and password of a user. All the possible iterations are checked which can
effectively crack a weak password (Arzhakov and Silnov 2016). This is basic type of web
server attack. The chance of the brute force attack gets high when there is only password
authentication.
iii. URL Interpretation: In this type of attack, poisoned URL is used in place of the right
URL by manipulating it. The semantics of the URL is changed except the syntax. The
poisoned URL is clicked by the user unknowingly and it retrieves information from the
web server.
iv. Input Validation: Input validation is type of attack where hacker injects a code that is
executed by the web server (Cao et al. 2015). The inputs are validated before the
execution generally. However after the input validation attack, inputs are not validated
and information is retrievable by the hacker.
v. Buffer Overflow: Buffer overflow are the attacks where the hackers deliberately
overflow the memory available to the users input. In this scenario the application runs out
of the memory to input data fed by the user. The overflow is made by inputting the
arbitrary data. It is similar to the denial of service attack.
vi. Denial of Service: Denial of Service is an attack where the server denies the service to
the user on the request (Yu 2014). It is most effective and popular form of attacking web
servers. The hacker gets access to the network and immediately exploit the web servers.
vii. Session hijacking: Web Servers run on HTTP protocol where the application has the
states. Due to Poor mechanism of the states, the hijacking becomes easy for the hackers.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
It is also refereed to cookie hacking where it is hijacked by the acker to interrupt the
active state of the application and current session of the users.
viii. Source code disclosure: Using this attack the hacker can disclose the source code of the
website without any parsing. After disclosing the source file, they can manipulate
contents on the web pages or retrieve critical data of the application. The source code of
the website contains all the website information and functionality of the system.
Security best practices
The web covers all of the word which makes the website more prone to the cyber-attacks.
To prevent the attacks to the web servers following security practices can be done:
Backups: Databases store important and crucial data of the companies, user and their
products. Backups should be made for the entire database on a regular intervals. In case
of any attacks, backups can be used to keep the system running. On other hand, if any
malware gets into the database, flushing entire database can remove malwares. Then the
backup can be restored to the main database.
Network Monitoring: Network Monitoring and checking of the devices and internet
should be done on a regular basis by the employees of the organizations to prevent any
attack before it becomes critical (Faymonville et al. 2016). The further spread of the
attack can be prevented if detected early.
Malware Scanning: Malware scanning should be regular task for the employees or it
should be set default in the system. Scanning software automatically detects and removes
the malware or unwanted files on the servers.
active state of the application and current session of the users.
viii. Source code disclosure: Using this attack the hacker can disclose the source code of the
website without any parsing. After disclosing the source file, they can manipulate
contents on the web pages or retrieve critical data of the application. The source code of
the website contains all the website information and functionality of the system.
Security best practices
The web covers all of the word which makes the website more prone to the cyber-attacks.
To prevent the attacks to the web servers following security practices can be done:
Backups: Databases store important and crucial data of the companies, user and their
products. Backups should be made for the entire database on a regular intervals. In case
of any attacks, backups can be used to keep the system running. On other hand, if any
malware gets into the database, flushing entire database can remove malwares. Then the
backup can be restored to the main database.
Network Monitoring: Network Monitoring and checking of the devices and internet
should be done on a regular basis by the employees of the organizations to prevent any
attack before it becomes critical (Faymonville et al. 2016). The further spread of the
attack can be prevented if detected early.
Malware Scanning: Malware scanning should be regular task for the employees or it
should be set default in the system. Scanning software automatically detects and removes
the malware or unwanted files on the servers.
Firewall: SSL (Secure Socket Layers) and firewalls an important content of the network
system for any hosting type. A firewall prevent entering unwanted and hazardous files or
packets inside the network. It is effective keeping almost all the basic cyber-attacks
(Prandl, Lazarescu and Pham 2015). On other hand, SSL keeps the sensitive data secure
by encryption during the transmission of the data.
Access restriction: The Access to the web server or databases should be restricted to the
limited individuals. Except admin, no other technician should be allowed to get access or
should have a security clearance. IPs can be detected if any activity happens from inside
the network.
Secure shell: For command line of webservers, Secure Socket shell helps in providing
secure pathway to access server. This protocol is based on cryptographic techniques to
keep the information stream live (Bergsma et al. 2014). Phishing and Packet sniffing
attacks can be prevented using secure shells for the transmission.
SQLi and DOS prevention: SQL injection and Denial of Service attacks are most
effective and harmful attacks on web servers. People should be prepare and aware for any
of these situations. Using a robust firewall can help in preventing the attacks and provide
much stronger security configurations for the web sites.
Recommendation
a. Use only HTTPS: HTTPS provides a secure to protect only few resources from it serves.
The sensitive information are protected from handling submissions. Only HTTP servers
may or may not be harmful for browsing. However the HTTPS stands for secured HTTP.
In case of attack, it will not affect much as the HTTPS server have protected some of the
information and resources. Switching all the servers to HTTPS will help globally all the
system for any hosting type. A firewall prevent entering unwanted and hazardous files or
packets inside the network. It is effective keeping almost all the basic cyber-attacks
(Prandl, Lazarescu and Pham 2015). On other hand, SSL keeps the sensitive data secure
by encryption during the transmission of the data.
Access restriction: The Access to the web server or databases should be restricted to the
limited individuals. Except admin, no other technician should be allowed to get access or
should have a security clearance. IPs can be detected if any activity happens from inside
the network.
Secure shell: For command line of webservers, Secure Socket shell helps in providing
secure pathway to access server. This protocol is based on cryptographic techniques to
keep the information stream live (Bergsma et al. 2014). Phishing and Packet sniffing
attacks can be prevented using secure shells for the transmission.
SQLi and DOS prevention: SQL injection and Denial of Service attacks are most
effective and harmful attacks on web servers. People should be prepare and aware for any
of these situations. Using a robust firewall can help in preventing the attacks and provide
much stronger security configurations for the web sites.
Recommendation
a. Use only HTTPS: HTTPS provides a secure to protect only few resources from it serves.
The sensitive information are protected from handling submissions. Only HTTP servers
may or may not be harmful for browsing. However the HTTPS stands for secured HTTP.
In case of attack, it will not affect much as the HTTPS server have protected some of the
information and resources. Switching all the servers to HTTPS will help globally all the
organizations for better security purpose. Shutting down the normal HTTP network port
is an option (Felt et al. 2017). However it can be redirect requests from HTTP to use
HTTPS which is not ideal but best available solution.
b. Cloud Services: Cloud Computing provides higher security than a normal database. It is
widely used and highly scalable to use. AWS (Amazon Web services) is one of the
widely used web hosting cloud platforms (Rittinghouse and Ransome 2016). It uses the
computational resources from different places to combine and make the system efficient.
It provides Load balancing, firewalls, DNS services, DDoS protector and backups along
with static storage.
c. Isolated Web Applications: Isolation can be achieved by using combinations of web and
Internet Information server by Microsoft. Isolation of the application will allow more
security such as application pools will be assigned to a solo websites and single users.
Also, the Anonymous user identities should not be allowed to use application pool.
is an option (Felt et al. 2017). However it can be redirect requests from HTTP to use
HTTPS which is not ideal but best available solution.
b. Cloud Services: Cloud Computing provides higher security than a normal database. It is
widely used and highly scalable to use. AWS (Amazon Web services) is one of the
widely used web hosting cloud platforms (Rittinghouse and Ransome 2016). It uses the
computational resources from different places to combine and make the system efficient.
It provides Load balancing, firewalls, DNS services, DDoS protector and backups along
with static storage.
c. Isolated Web Applications: Isolation can be achieved by using combinations of web and
Internet Information server by Microsoft. Isolation of the application will allow more
security such as application pools will be assigned to a solo websites and single users.
Also, the Anonymous user identities should not be allowed to use application pool.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
References
Almi, S.B., 2014. Web Server Security and Survey on Web Application Security. International
Journal on Recent and Innovation Trends in Computing and Communication (IJRITCC), 2(1),
pp.114-119.
Yu, S., 2014. Distributed denial of service attack and defense (pp. 15-29). Springer New York.
Arzhakov, A.V. and Silnov, D.S., 2016. Analysis of brute force attacks with ylmf-pc
signature. International Journal of Electrical and Computer Engineering, 6(4), p.1681.
Faymonville, P., Finkbeiner, B., Schirmer, S. and Torfah, H., 2016, September. A stream-based
specification language for network monitoring. In International Conference on Runtime
Verification (pp. 152-168). Springer, Cham.
Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J. and Stebila, D., 2014, November. Multi-
ciphersuite security of the Secure Shell (SSH) protocol. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (pp. 369-381).
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C. and Tabriz, P., 2017. Measuring
{HTTPS} Adoption on the Web. In 26th {USENIX} Security Symposium ({USENIX} Security
17) (pp. 1323-1338).
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press.
Qian, L., Zhu, Z., Hu, J. and Liu, S., 2015, January. Research of SQL injection attack and
prevention technology. In 2015 International Conference on Estimation, Detection and
Information Fusion (ICEDIF) (pp. 303-306). IEEE.
Almi, S.B., 2014. Web Server Security and Survey on Web Application Security. International
Journal on Recent and Innovation Trends in Computing and Communication (IJRITCC), 2(1),
pp.114-119.
Yu, S., 2014. Distributed denial of service attack and defense (pp. 15-29). Springer New York.
Arzhakov, A.V. and Silnov, D.S., 2016. Analysis of brute force attacks with ylmf-pc
signature. International Journal of Electrical and Computer Engineering, 6(4), p.1681.
Faymonville, P., Finkbeiner, B., Schirmer, S. and Torfah, H., 2016, September. A stream-based
specification language for network monitoring. In International Conference on Runtime
Verification (pp. 152-168). Springer, Cham.
Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J. and Stebila, D., 2014, November. Multi-
ciphersuite security of the Secure Shell (SSH) protocol. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (pp. 369-381).
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C. and Tabriz, P., 2017. Measuring
{HTTPS} Adoption on the Web. In 26th {USENIX} Security Symposium ({USENIX} Security
17) (pp. 1323-1338).
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press.
Qian, L., Zhu, Z., Hu, J. and Liu, S., 2015, January. Research of SQL injection attack and
prevention technology. In 2015 International Conference on Estimation, Detection and
Information Fusion (ICEDIF) (pp. 303-306). IEEE.
Cao, C., Gao, N., Liu, P. and Xiang, J., 2015, December. Towards analyzing the input validation
vulnerabilities associated with android system services. In Proceedings of the 31st Annual
Computer Security Applications Conference (pp. 361-370).
Prandl, S., Lazarescu, M. and Pham, D.S., 2015, December. A study of web application firewall
solutions. In International Conference on Information Systems Security (pp. 501-510). Springer,
Cham.
vulnerabilities associated with android system services. In Proceedings of the 31st Annual
Computer Security Applications Conference (pp. 361-370).
Prandl, S., Lazarescu, M. and Pham, D.S., 2015, December. A study of web application firewall
solutions. In International Conference on Information Systems Security (pp. 501-510). Springer,
Cham.
1 out of 9
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.