Scribd
Upload
4 views

mod-6

Web security is essential for protecting businesses from various online threats, including ransomware, malware, and SQL injection attacks. It helps safeguard sensitive data, maintain customer trust, and improve user experience. Common vulnerabilities include SQL injection, cross-site scripting, and cross-site request forgery, with web application firewalls serving as a critical defense mechanism.

Uploaded by

Loyal Gamer
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

mod-6

Web security is essential for protecting businesses from various online threats, including ransomware, malware, and SQL injection attacks. It helps safeguard sensitive data, maintain customer trust, and improve user experience. Common vulnerabilities include SQL injection, cross-site scripting, and cross-site request forgery, with web application firewalls serving as a critical defense mechanism.

Uploaded by

Loyal Gamer
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Introduction

Web Security

Common Vulnerabilities

Web Application firewall

Final tips & takeaways


What is Web Security?
• Web Security is an online security solution that will restrict access to
harmful websites, stop web-based risks, and manage staff internet usage.

• Web Security is very important nowadays. Websites are always prone to


security threats/risks.
What Are the Benefits of Web Security?

• For a modern enterprise, effective web security has broad technical and human
benefits

• Protect your business and stay compliant by preventing loss of sensitive data

• Protect customers and employees by securing their private information

• Avoid costly service interruptions by preventing infections and exploits

• Offer a better user experience by helping your users stay safe and productive

• Maintain customer loyalty and trust by staying secure and out of the news
Web Security Protect Against?

• Ransomware
• General malware
• Phishing
• SQL injection
• Denial of service (DoS)
• Cross-site scripting (XSS)
COMMON VULNERABILITIES

1.Sql Injection
2.Cross – Site(XSS)
3.Cross Site Request Forgery(CSRF)
4.Web Application Firewalls(WAF)
1.SQL Injection:

SQL Injection attacks (or SQLi) alter SQL queries, injecting


malicious code by exploiting application vulnerabilities.

Successful SQLi attacks allow attackers to modify database


information, access sensitive data, execute admin tasks on
the database, and recover files from the system.
SQL,: Structured Query Language
• It is the standard language for relational database management systems and is used to
perform tasks such as update data on a database, or retrieve data from a database.

• SQL queries are the commands used to communicate with a database.

• They enable tasks like searching, updating, or retrieving data stored in a database. For
instance, an eCommerce web application.
Types of SQL Injection:
Impact of a Successful SQL Injection Attack:

 Stolen credentials
 Unauthorized access to databases.
 Data alteration
 Data deletion
2. Cross-site scripting (XSS)
 Cross Site Scripting (XSS) is a vulnerability in a web application that allows a third
party to execute a script in the user’s browser on behalf of the web application.

 Cross-site scripting (XSS) is an attack in which an attacker injects malicious


executable scripts into the code of a trusted application or website.

 Attackers often initiate an XSS attack by sending a malicious link to a user and
enticing the user to click it.
Types of Cross-site scripting (XSS)

A. Reflected XSS (cross-site scripting)


B. Stored XSS (cross-site scripting)
C. DOM Based
A. Reflected XSS: Reflected XSS, also known as non-persistent XSS, is
the most common and simplest form of XSS attack.

Reflected XSS is a non-persistent form of attack, which means the attacker is responsible
for sending the payload to victims and is commonly spread via social media or email.
B. Stored XSS (cross-site scripting): Stored XSS, or persistent XSS, is commonly
the damaging XSS attack method. The attacker uses this approach to inject their payload
into the target application.
C. DOM based XSS :

• There is another type of XSS called DOM based XSS and its instances are either
reflected or stored.

• DOM-based XSS is a more advanced form of XSS attack that is only possible if the web
application writes data that the user provides to the DOM.

• This data is then read by the application and sent to the user’s browser.

• The attacker can inject their payload if the data is not handled correctly.

• The payload is stored within the DOM and only executes when data is read from the DOM.
3.Cross-Site Request Forgery (CSRF):

 An attacker creates a forged request that, when run, will transfer $10,000
from a particular bank into the attacker’s account.

 The attacker embeds the forged request into a hyperlink and sends it out in
bulk emails and also embeds it into websites.

 A victim clicks on an email or website link placed by the attacker, resulting


in the victim making a request to the bank to transfer $10,000.

 The bank server receives the request, and because the victim is properly
authorized, it treats the request as legitimate and transfers the funds.
3.WEB APPLICATION FIREWALL (WAF):

A web application firewall, or WAF, is a security tool for monitoring, filtering and
blocking incoming and outgoing data packets from a web application or
website.
Types of Web Application Firewalls

1. Network-based WAF : usually hardware-based, it is installed locally to minimize latency. However,


this is the most expensive type of WAF and necessitates storing and maintaining physical
equipment.

2. Host-based WAF : can be fully integrated into the software of an application. This option is cheaper
than network-based WAFs and is more customizable, but it consumes extensive local server
resources, is complex to implement, and can be expensive to maintain.

3. Cloud-based WAF : an affordable, easily implemented solution, which typically does not require an
upfront investment, with users paying a monthly or annual security-as-a-service subscription. A
cloud-based WAF can be regularly updated at no extra cost, and without any effort on the part of
the user.
THANK YOU

You might also like