### Web Application Security

#### [Definition @ wikipedia](https://en.wikipedia.org/wiki/Web_application_security)
Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the **principles of application security** but applies them specifically to **Internet** and **Web** systems.

#### Security threats

With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to drive-by downloading.

As a result, industry is paying increased attention to the security of the web applications themselves in addition to the security of the underlying computer network and operating systems.

The majority of web application attacks occur through cross-site scripting (**XSS**) and **SQL injection** attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.

**Phishing** is another common threat to the Web application and global losses from this type of attack in 2012 were estimated at $1.5 billion.

According the security vendor Cenzic, the top vulnerabilities in March 2012 include:

- 37%	Cross-site scripting
- 16%	SQL injection
- 5%	Path disclosure
- 5%	Denial-of-service attack
- 4%	Arbitrary code execution
- 4%	Memory corruption
- 4%	Cross-site request forgery
- 3%	Data breach (information disclosure)
- 3%	Arbitrary file inclusion
- 2%	Local file inclusion
- 1%	Remote file inclusion
- 1%	Buffer overflow
- 15%	Other, including code injection (PHP/JavaScript), etc.

#### Best Practices Recommendation

Secure web application development should be enhanced by applying security **checkpoints** and **techniques** at early stages of development as well as throughout the software development lifecycle. Special emphasis should be applied to the **coding phase** of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.

#### Security standards

**OWASP** is the emerging standards body for Web application security. In particular they have published the **OWASP Top 10** which describes in detail the major threats against web applications. The Web Application Security Consortium (**WASC**) has created the **Web Hacking Incident Database** and also produced open source best practice documents on Web application security.

#### Security technology

While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:

- **Black box** testing tools such as Web application security scanners, vulnerability scanners and penetration testing software
- **White box** testing tools such as static source code analyzers
- **Fuzzing Tools** used for input testing
- **Web application security scanner** (vulnerability scanner)
- **Web application firewalls** (**WAF**) used to provide firewall-type protection at the web application layer
- **Password cracking tools** for testing password strength and implementation

### Open Web Application Security Project  ([OWASP](https://en.wikipedia.org/wiki/OWASP))

- #### [OWASP Top 10](https://www.owasp.org/index.php/OWASP_Top_Ten_Project)

### Tools
#### Web application security scanner

[At wikipedia](https://en.wikipedia.org/wiki/Web_application_security_scanner)

Web application scanners can look for a wide variety of vulnerabilities, including:
- Input/Output validation: (Cross-site scripting, SQL Injection, etc.)
- Specific application problems
- Server configuration mistakes/errors/version

Web applications security scanners typically rely on fully automated scanning, however a 'hybrid' approach, pioneered by High-Tech Bridge,[4] is emerging which aims to address the issue of false-positive reporting by having humans involved in the assessment process.

- [Arachni](http://www.arachni-scanner.com/) - Open Source
- [Gryffin](https://github.com/yahoo/gryffin) from Yahoo - Open Source

#### Vulnerability Scanners
- [At wikipedia](https://en.wikipedia.org/wiki/Vulnerability_scanner)
- [Vulnerability Scanning Tools](https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools)
- Types:
    - Port scanner (e.g. Nmap)
    - Network vulnerability scanner (e.g. Nessus, SAINT, OpenVAS)
    - Web application security scanner (e.g. Nikto, w3af)
    - Database security scanner
    - Host based vulnerability scanner (Lynis)
    - ERP security scanner
    - Single vulnerability tests
    
#### Penetration test
- [At wikipedia](https://en.wikipedia.org/wiki/Penetration_test#Web_application_penetration_testing)

#### Static program analysis
- [At wikipedia](https://en.wikipedia.org/wiki/Static_program_analysis)
- [List of tools for static code analysis](https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)

#### Fuzz testing
- [At wikipedia](https://en.wikipedia.org/wiki/Fuzz_testing)

#### Application firewall
- [At wikipedia](https://en.wikipedia.org/wiki/Application_firewall)

#### Password cracking
- [At wikipedia](https://en.wikipedia.org/wiki/Password_cracking)

### Articles
- [An Automated Scanner That Finds All OWASP Top 10 Security Flaws, Really?](https://www.netsparker.com/blog/web-security/owasp-top-10-web-security-scanner/)
- [Price and Feature Comparison of Web Application Scanners](http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html)
- [The Best Form of Web Application Security Scans](http://www.securitypronews.com/best-form-web-application-security-scans-2015-02)
