# Cybersecurity

### CMP-5006

### Alejandro Proano, PhD

# Web Security

## Introduction to Web Security

- Web security refers to the protection of websites and web applications from various threats and vulnerabilities.
- It involves implementing measures to prevent unauthorized access, data breaches, and other malicious activities.
- Web security is crucial to ensure the confidentiality, integrity, and availability of web resources.

## Motivation to Study Web Security

- With the increasing reliance on the internet, web security has become a critical concern for individuals and organizations.
- Cyberattacks, data breaches, and identity thefts are on the rise, making it essential to understand and mitigate web security risks.
- By studying web security, you can protect your personal information, secure your online transactions, and contribute to a safer digital environment.

## Common Web Application Security Risks

- Web application security risks refer to vulnerabilities and weaknesses that can be exploited by attackers to compromise the security of web applications.
- **Zero-day vulnerabilities:** These are vulnerabilities unknown to an application’s makers, and which thus do not have a fix available. We now see more than 20,000 every year. Attacks look to exploit these vulnerabilities quickly, and often follow up by seeking to evade protections put in place by security vendors.
- **Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks:** Through a variety of vectors, attackers are able to overload a targeted server or its surrounding infrastructure with different types of attack traffic. When a server is no longer able to effectively process incoming requests, it begins to behave sluggishly and eventually deny service to incoming requests from legitimate users.
- **Page scraping:** Attackers may also use bots to steal content from webpages on a large scale. They may use this content to gain a pricing advantage over a competitor, imitate the page owner for malicious purposes, or other reasons.
- **API abuse:** APIs, or Application Programming Interfaces, are software that allow two applications to communicate with each other. Like any type of software, they may have vulnerabilities that allow attackers to send malicious code into one of the applications or intercept sensitive data as it moves from one application to another. This is an increasingly common attack type as API use increases. The OWASP API Top ten list succinctly summarized key API security risks organizations face today.

## What is OWASP?

- OWASP (Open Web Application Security Project) is a non-profit organization dedicated to improving web application security.
- It provides resources, tools, and guidelines to help developers, security professionals, and organizations enhance their web security practices.
- OWASP promotes the importance of secure coding, vulnerability testing, and continuous security improvement.
- https://owasp.org/

## The OWASP Top 10

- The OWASP Top 10 is a list of the most critical web application security risks.
- It serves as a guide for developers and security professionals to prioritize their efforts in securing web applications.
- The 2017 version of the OWASP Top 10 includes:
  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfigurations
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

## Important Web Application Security Strategies

- Implementing robust web application security strategies is crucial to protect against various threats.
- Some important strategies include:
  - Secure coding practices: Following secure coding guidelines and best practices to minimize vulnerabilities.
  - Regular vulnerability assessments and penetration testing: Identifying and fixing security weaknesses through testing and analysis.
  - Web application firewalls (WAF): Deploying WAFs to filter and block malicious traffic.
  - Secure authentication and authorization mechanisms: Implementing strong authentication and authorization controls to prevent unauthorized access.
  - Regular security updates and patches: Keeping web applications and underlying software up to date to address known vulnerabilities.
  - Security monitoring and incident response: Monitoring web applications for suspicious activities and having a plan to respond to security incidents.

## DAMN VULNERABLE WEB APPLICATION

- Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

- https://github.com/digininja/DVWA

- https://hub.docker.com/r/vulnerables/web-dvwa