Web Application Security

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.[1]

Security threats

With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to drive-by downloading.[2][3]

As a result, industry[4] is paying increased attention to the security of the web applications[5] themselves in addition to the security of the underlying computer network and operating systems.

The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks[6] which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.[7]

Phishing is another common threat to the Web application and global losses from this type of attack in 2012 were estimated at $1.5 billion.[8]

According to the security vendor Cenzic, the top vulnerabilities in March 2012 include:[9]

37% Cross-site scripting
16% SQL injection
5% Path disclosure
5% Denial-of-service attack
4% Arbitrary code execution
4% Memory corruption
4% Cross-site request forgery
3% Data breach (information disclosure)
3% Arbitrary file inclusion
2% Local file inclusion
1% Remote file inclusion
1% Buffer overflow
15% Other, including code injection (PHP/JavaScript), etc.
The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications.[10] According to the OWASP Top 10 - 2017, the ten most critical web application security risks include:[11]
  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Insecure Direct Object References
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Best practices recommendation

Secure web application development should be enhanced by applying security checkpoints and techniques at early stages of development as well as throughout the software development lifecycle. Special emphasis should be applied to the coding phase of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.[12]

Security standards

OWASP is the emerging standards body for web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database (WHID) and also produced open source best practice documents on web application security. The WHID became an OWASP project in February 2014.[13]

Security technology

While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:

See also


  1. ^ "Web Application Security Overview". 2015-10-23. 
  2. ^ "The Ghost in the Browser" (PDF). Niels Provos et al. May 2007. 
  3. ^ "All Your iFrames Point to Us" (PDF). Niels Provos et al. February 2008. 
  4. ^ "Improving Web Application Security: Threats and Countermeasures". Microsoft Corporation. June 2003. 
  5. ^ "Microsoft fortifies IE8 against new XSS exploits". Dan Goodin, The Register. February 2009. 
  6. ^ "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks". Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007. 
  7. ^ "CWE/SANS Top 25 Most Dangerous Programming Errors". CWE/SANS. May 2009. 
  8. ^ "2012 Global Losses From Phishing Estimated At $1.5 Bn". FirstPost. February 20, 2013. Retrieved 2014. 
  9. ^ "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 2012. 
  10. ^ Korolov, Maria (Apr 27, 2017). "Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs". CSO - via ProQuest. 
  11. ^ "OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks" (PDF). Open Web Application Security Project. 2017. Retrieved 2018. 
  12. ^ Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review. 43 (2): 259-276. doi:10.1007/s10462-012-9375-6. ISSN 0269-2821. 
  13. ^ "WHID Project is now a Joint WASC/OWASP Project". WASC. 18 February 2014. 
  14. ^ "Web Application Vulnerability Scanners". NIST. 
  15. ^ "Source Code Security Analyzers". NIST. 
  16. ^ "Fuzzing". OWASP. 
  17. ^ "Web application firewalls for security and regulatory compliance". Secure Computing Magazine. February 2008. 

  This article uses material from the Wikipedia page available here. It is released under the Creative Commons Attribution-Share-Alike License 3.0.



Connect with defaultLogic
What We've Done
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.

Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your Digital Marketing and Technology knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.

Visit defaultLogic's partner sites below:
PopFlock.com : Music Genres | Musicians | Musical Instruments | Music Industry
NCR Works : Retail Banking | Restaurant Industry | Retail Industry | Hospitality Industry

  Contact Us