QAC020N256A: Web Application Security Evaluation Report

Verified

Added on 2022/09/09

AI Summary

This report delves into the critical aspects of web application security, providing a comprehensive analysis of potential threats and vulnerabilities. It begins with an introduction to web application security, emphasizing the importance of safeguarding against attacks. The report then identifies and explains various web server-side technologies, such as Apache, IIS, and Lighttpd, highlighting their strengths and weaknesses. A significant portion of the report is dedicated to appraising web application security threats, including Stored (persistent) Cross-Site Scripting (XSS) and SQL injection, detailing their impact on business operations. The report also identifies specific web application vulnerabilities, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (XSRF), and SQL injection, and discusses the failure to sanitize CRLF sequences in HTTP headers. Furthermore, the report critically evaluates the use of web application security tools, including firewalls, filtering mechanisms, encryption, intrusion detection and prevention systems, and configuration management. The report concludes by summarizing the key findings and emphasizing the importance of adopting the discussed security measures to enhance the overall security of web applications. References to relevant sources are included to support the analysis.

University name:
Programme Title: Computing Technologies Extended Degree.
Module Title: Web Application Security
Module Code: QAC020N256A
Module Convenor: Dr. Muhammad Ali Kazmi
Coursework Title: Design and Develop Web Application Security Testing, Evaluation Report.
Student details.
Students Name Student Number
Due date:
1 of 4

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Introduction.
The Web Application faces some vulnerabilities attacks and there is need in improving the
security for the web application. The attackers affect web server-side of the system. Different
vulnerabilities which affects the web application security are going to be identified. The report
will discuss comparison of different webserver side technologies in details different web
application security threats and their impact, the identified web application vulnerabilities and
web application security tools.
The evaluating and comparing of the webserver-side technologies critically.
The webservers get requests processes it and reply it by use of Http protocol (Vincent Lu, 2012).
This web servers are like containers of stores.
The webserver side is where system is hosted. for example, when a client makes request the server
replies the customer request. The website shall be hosted on the xampp server .
The most common web servers includes Apache,IIS ,Lightpd and Jagsaw.
The xampp contains apache and MySQL Services.
The xampp is a powerful sever which is used to host the website on the local host.
The apache Http server is most commonly used server and most operating system uses it .it is
open source.
These servers are commonly affected by different Vulnerabilities.
The languages or technologies affected by web server vulnerabilities are mainly those that are
being used in implementation of the website application for example PHP and Mysql .The Xampp
uses PHP and MYSQL.
The apache server is commonly used compared to other servers .
Internet Information service.
It very flexible to use and secure.It runs only on windows.
2 of 4

Lighttpd.
Uses less power and very secure .It runs on most platfom.
Appraising the web application security threats Critically and evaluating the security
threats impacts on business running of the system.
Stored(persistent) cross site scripting.
The forms of the websites are used by the attackers to insert malicious into the database of the
system. These malicious affects the functionality of the websites. The attacker steals cookies and
misuse the website functionality.
Sql injection.
The attacker input data from the browser to the web application to change the functionality of the
Structured Query Language quires in the database.
The attacker reads data which is sensitive from database. The attacker can insert, update and
delete data.
The attackers modify the SQL queries and executes database.
For example, attacker make application allows the login in without correct password and
username. This makes unauthorized people to access system.
Threat Impact on the business operation of the system.
The sql injects affects the normal sql codes making a database output wrong result.
The stored persistent cross site scripting steals cookies data and thus affect functionality of the
system.
The identified web application vulnerabilities.
The following entries were included as web server vulnerabilities;
3 of 4

Cross-site Scripting (XSS).
This is a type of vulnerability in which malicious codes are into the forms of the websites and they
interfere with functionality of the website database. They are inserted on the client side and the
end up affecting the database (Schneier ,2016)
Cross-Site Request Forgery (XSRF).
This vulnerability forces client to run some unwanted commands on the system they are
authenticated on.
These are vulnerabilities where clients runs actions which are not wanted and harmful on the
website (Schneier ,2016).
Sql injection
These are vulnerabilities where sql codes are inserted into the database and affects the genuine sql
commands (Schneier ,2016).
Failure to Sanitize CRLF Sequences in HTTP Headers (HTTP Response Splitting).
This occurs when data enters a web application through an untrusted source, most frequently an
HTTP request or the data is included in an HTTP response header sent to a web user without
being validated for malicious characters.[4]
Critical discussion on web application security tools used during the security testing.
Firewalls
Firewalls are used to safe guard network from attacks. It is a tool which provides defensive
measures on the network( Stuttard and Pinto, 2007).The defensive wall is created on the network
to safe guard network from external attacks.
Filtering.
Filtering refers to analysing the network and removes unwanted packages which are harmful
(Khawaja, 2018).
Packet Filtering (IP level)
It prevents ip spoofing, denial for services and censorship mechanism.
4 of 4

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Encryption.
Encryption it is refers to hiding information from unwanted people to access it. The message is
encrypted on send to a person then decrypted on receiving it. The plain text is converted into
cypher text on sending and when receiver gets it. He/she converts it into plain text. It is making
information invisible to people who are not intended to view it and make it visible to people who
are to use it. The information on web application are encrypted form attacks.
Intrusion Detection.
It analyses the traffics on the network and detects attacks before they attack system (Splaine,
2002).The attacks are identified on running the intrusion detection system.
Intrusion Prevention System.
The intrusion prevention they analyse the network and if the identifies unknown packets they
block them.
Configuration management.
The web application is set to ensure all feature are functioning well and able to encounters attacks
on the system features.
Conclusion
The report has discussed comparison of different webserver side technologies in details different
web application security threats and their impact, the identified web application vulnerabilities
and web application security tools. The web application tools are well demonstrated in the report.
On adoption of this report can be useful in the improvement of the security of the web
applications.
5 of 4

References.
Vincent Lu, 16 Jan 2012. Web Application Security, A Beginner's Guide.
Available at https://www.amazon.co.uk/Web-Application-Security-Beginners-Guide/dp/
0071776168
Schneier, B. 2016. Security Engineering. (5th Ed) Pearson.
Steven Splaine, 2002. Testing Web Security: Assessing the Security of Web Sites and
Applications.
Available at https://books.google.co.uk/books/about/Testing_Web_Security.html?
id=2eQ2yxTA3tUC&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q&
f=false
Dafydd Stuttard, Marcus Pinto, 2007. The Web Application Hacker's Handbook: Discovering
and Exploiting Security Flaws.
6 of 4

Available at
https://books.google.co.uk/books/about/The_Web_Application_Hacker_s_Handbook.html?
id=_EhvBGsWi6AC&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q
&f=false
Gus Khawaja, 2018. Practical Web Penetration Testing: Secure Web Applications Using Burp
Suite, Nmap, Metasploit, and More.
Available at https://books.google.co.uk/books/about/Practical_Web_Penetration_Testing.html?
id=AvBhDwAAQBAJ&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&
q&f=false
7 of 4