Web Security
Chapter 11. Basic Issues in Web
Security
Table of Contents
Objectives 1
11.1 Introduction to Web Security................................................................................................................. 1
11.1.1 Why the Internet is Insecure? ..................................................................................................... 1
11.1.2 Why make information secure? ................................................................................................... 2
11.2 Common vulnerabilities ........................................................................................................................ 2
11.2.1 SQL Injection ............................................................................................................................... 2
11.2.2 Buffer Overflow ........................................................................................................................... 3
11.2.3 Sensitive Data Exposure .............................................................................................................. 3
11.2.4 Broken Authentication and Session Management........................................................................ 3
11.2.5 Security Misconfiguration............................................................................................................ 3
11.3 Web Security Solutions ......................................................................................................................... 3
11.3.1 HTTPS 3
11.3.2 Certificates ................................................................................................................................... 4
11.3.3 Encryption .................................................................................................................................... 4
11.4 Discussion ............................................................................................................................................. 4
Objectives
At the end of this chapter you will be able to:
• Understand the need for web security;
• Understand some of the common web security vulnerabilities; and
• Understand some of the web security solutions.
11.1 Introduction to Web Security
When information transmitted over the web, not only does the data have reach its destination, but it needs to arrive
intact and uncorrupted (integrity), and other people should be prevented from seeing it (confidentiality). The
nature of the Internet makes directing information to reach its destination relatively trivial, but ensuring its
integrity and confidentiality is more difficult. Fortunately, encryption algorithms have made both integrity and
confidentiality feasible. Additionally, users like to know that the information they receive is genuine
(authentication) and that the sender of the information cannot deny that they sent it (non-repudiation).
The web is an interconnection of networks. Everybody uses the Internet to transfer data and that the data has
value (and cost), and so it is a subject to theft. Types of information that are stolen include personal user's
information, commercial or technical data (including commercial secrets and intellectual property), or even
security and military information. Leaking of such information can stay undiscovered for months, if not years,
doing damage to people that sent information and also to third parties.
11.1.1 Why the Internet is Insecure?
One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well
versed with secure programming techniques. As a result, security of the application is not necessarily one of the
design goals. This is exacerbated by the rush to meet deadlines in the fast-moving e-commerce world.
The Internet is a packet-passing network, and so information sent from one machine to another passes through
1
Chapter 11. Basic Issues in Web
Security
Table of Contents
Objectives 1
11.1 Introduction to Web Security................................................................................................................. 1
11.1.1 Why the Internet is Insecure? ..................................................................................................... 1
11.1.2 Why make information secure? ................................................................................................... 2
11.2 Common vulnerabilities ........................................................................................................................ 2
11.2.1 SQL Injection ............................................................................................................................... 2
11.2.2 Buffer Overflow ........................................................................................................................... 3
11.2.3 Sensitive Data Exposure .............................................................................................................. 3
11.2.4 Broken Authentication and Session Management........................................................................ 3
11.2.5 Security Misconfiguration............................................................................................................ 3
11.3 Web Security Solutions ......................................................................................................................... 3
11.3.1 HTTPS 3
11.3.2 Certificates ................................................................................................................................... 4
11.3.3 Encryption .................................................................................................................................... 4
11.4 Discussion ............................................................................................................................................. 4
Objectives
At the end of this chapter you will be able to:
• Understand the need for web security;
• Understand some of the common web security vulnerabilities; and
• Understand some of the web security solutions.
11.1 Introduction to Web Security
When information transmitted over the web, not only does the data have reach its destination, but it needs to arrive
intact and uncorrupted (integrity), and other people should be prevented from seeing it (confidentiality). The
nature of the Internet makes directing information to reach its destination relatively trivial, but ensuring its
integrity and confidentiality is more difficult. Fortunately, encryption algorithms have made both integrity and
confidentiality feasible. Additionally, users like to know that the information they receive is genuine
(authentication) and that the sender of the information cannot deny that they sent it (non-repudiation).
The web is an interconnection of networks. Everybody uses the Internet to transfer data and that the data has
value (and cost), and so it is a subject to theft. Types of information that are stolen include personal user's
information, commercial or technical data (including commercial secrets and intellectual property), or even
security and military information. Leaking of such information can stay undiscovered for months, if not years,
doing damage to people that sent information and also to third parties.
11.1.1 Why the Internet is Insecure?
One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well
versed with secure programming techniques. As a result, security of the application is not necessarily one of the
design goals. This is exacerbated by the rush to meet deadlines in the fast-moving e-commerce world.
The Internet is a packet-passing network, and so information sent from one machine to another passes through
1
