Scribd
Upload
10 views28 pages

Lecture 14 Security Updated U 30122024 095008am

Web application security involves protecting websites from vulnerabilities and threats, focusing on secure authentication, input validation, session management, and access controls. It emphasizes the importance of regular updates, security testing, and using strong encryption and hashing algorithms for safeguarding sensitive data. Techniques like multi-factor authentication, secure file uploads, and proper error handling are crucial for maintaining a secure web environment.

Uploaded by

uk1122334456
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
10 views28 pages

Lecture 14 Security Updated U 30122024 095008am

Web application security involves protecting websites from vulnerabilities and threats, focusing on secure authentication, input validation, session management, and access controls. It emphasizes the importance of regular updates, security testing, and using strong encryption and hashing algorithms for safeguarding sensitive data. Techniques like multi-factor authentication, secure file uploads, and proper error handling are crucial for maintaining a secure web environment.

Uploaded by

uk1122334456
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 28

Web Engineering

Lecture 15
Security of Web Application

Fatima Bashir
Lecturer
Computer Science
Department
What Is Web Application Security?

▷ Web application security is the process of


protecting websites and online services
against different security threats that
exploit vulnerabilities in an application’s
code. Common targets for web
application attacks are content
management systems (e.g., WordPress),
database administration tools (e.g.,
phpMyAdmin) and SaaS applications.
Secure Authentication
Implement strong authentication
mechanisms, such as multi-factor
authentication (MFA), to ensure
that only authorized users can
access the application. Use secure
password storage techniques, such
as salted hashing or password
stretching algorithms, to protect
user credentials.
Sath Hashing Algorithm
▷ // Generate a random salt
$salt = bin2hex(random_bytes(16));
▷ // User's input password
$password = 'myPassword';
▷ // Combine the password and salt
$hashedPassword =
password_hash($password . $salt,
PASSWORD_DEFAULT);
▷ // Store the hashed password and salt in the
database
Input Validation
Validate and sanitize all user input to
prevent common attacks like cross-site
scripting (XSS) and SQL injection. Apply
input validation both on the client-side
and server side to ensure data integrity.
Cross-Site Scripting (XSS) is a
vulnerability that allows attackers to
inject malicious scripts into web pages
viewed by other users.
SQL Injection: allows attackers to
execute unauthorized SQL commands in
a database through user-supplied input.
Session Management

Use secure session management


techniques, such as generating
unique session IDs, setting session
timeouts, and handling session data
securely. Protect against session
hijacking and session fixation
attacks.
Access Controls

Enforce proper access controls


to ensure that users can only
access the resources and
functionalities they are
authorized to. Apply the
principle of least privilege,
granting the minimum
necessary permissions to users
and roles.
Secure File Uploads

Implement strict controls and


validation when accepting file
uploads from users. Validate file
types, scan for malware or malicious
content, and store uploaded files in
a separate location with restricted
access.
Secure Error Handling

Avoid displaying detailed error


messages to users, as they may
reveal sensitive information about
the application's architecture or
internal workings. Instead, log errors
securely and present generic error
messages to users.
Regular Updates and
Patching

Keep all software components,


including web servers, frameworks,
and libraries, up to date with the
latest security patches.
Vulnerabilities in outdated software
can be exploited by attackers.
Security Testing

Conduct regular security


assessments, including penetration
testing and vulnerability scanning,
to identify and address potential
weaknesses in the application.
Perform code reviews to identify
security flaws during the
development process.
Symmetric Encryption
Techniques

Symmetric encryption, also known as


secret key encryption or private key
encryption, uses the same key for
both encryption and decryption. The
key is kept secret between the
communicating parties.
Symmetric Encryption
Techniques
Asymmetric Encryption
Techniques

Asymmetric encryption, also known


as public key encryption, uses a pair
of mathematically related keys: a
public key and a private key. The
public key is widely distributed, while
the private key remains secret and
known only to the owner.
Asymmetric Encryption
Techniques

15
Ceaser Cipher Rules

The formula of encryption is:

En (x) = (x + n) mod 26

16
Example
Text= ABCDEFGHIJKLMNOPQRSTUVWXYZ

Text : ATTACKATONCE
Shift: 4
Cipher: EXXEGOEXSRGI

17
Practice

▷ Academy
▷ Shift – 3

▷ Encryption: DFDGHBP

18
Monoalphabetic Cipher
▷ Each plaintext character has a corresponding
ciphertext character.

▷ Plain text: Save Yourself

19
Practice

▷ Keyword: The quick Brown Fox

TEXT: We are discovered


Hash Algorithm
▷ MD5 (Message Digest Algorithm 5)
$hash = md5($data);
▷ SHA1 (Secure Hash Algorithm 1)
$hash = sha1($data);
▷ SHA256 (Secure Hash Algorithm 256-bit)
$hash = hash('sha256', $data);
▷ SHA512 (Secure Hash Algorithm 512-bit)
$hash = hash('sha512', $data);
▷ bcrypt (Blowfish-based Hashing Algorithm)
$hash = password_hash($data,
PASSWORD_BCRYPT);
MD5 (Message Digest
Algorithm 5)
1.Security: MD5 is considered
cryptographically broken and
insecure for hashing passwords or
sensitive data. It is vulnerable to
collision attacks and has a high
probability of generating the same
hash for different inputs.
2.Suitability: Not recommended for
password hashing due to its weak
security properties.
SHA1 (Secure Hash
Algorithm 1)

1.Security: SHA1 is also considered


weak for password hashing as it is
vulnerable to collision attacks and
has been deprecated for
cryptographic use. It is no longer
recommended for security-sensitive
applications.
2.Suitability: Not recommended for
password hashing due to its weak
security properties.
SHA256 (Secure Hash Algorithm
256-bit)

1.Security: SHA256 is a widely used and


secure hashing algorithm. It offers a higher
level of security compared to MD5 and
SHA1. However, it is still susceptible to
brute-force attacks, especially when used
without salting and additional security
measures.
2.Suitability: Suitable for general-purpose
hashing needs but not ideal for password
hashing unless combined with additional
techniques like salting and stretching.
SHA512 (Secure Hash Algorithm
512-bit)

1.Security: SHA512 is a more secure


variant of SHA256 with a longer hash
length. It provides stronger
resistance against brute-force
attacks and offers a higher level of
security.
2.Suitability: Suitable for general-
purpose hashing needs and can be
used for password hashing with
appropriate salting and stretching
techniques.
bcrypt (Blowfish-based Hashing
Algorithm)
• Security: bcrypt is specifically
designed for password hashing and
is considered highly secure. It
employs the Blowfish encryption
algorithm with adaptive hashing,
salt generation, and multiple
rounds, making it computationally
expensive for brute-force attacks.
• Suitability: Highly suitable for
password hashing due to its strong
security properties. It is
recommended for securely hashing
MD5(Message Digest) Hash
Algorithm
28

You might also like