Web Application Security

Parth Patel
Security Analyst & Trainer
Techdefence labs
 CHAPTER-1

Basics HTTP & HTTPs

Client Server
An HTTP request is made by
a client, to a named
host, which is located on a
server. The aim of the
request is to access a
resource on the server. To
make the request, the client
uses components of a
URL (Uniform Resource
Locator), which includes the
information needed to access
the resource.
HTTP request methods
• HTTP defines a set of request methods to indicate the desired action to be
performed for a given resource.
• GET
The GET method requests a representation of the specified resource.
Requests using GET should only retrieve data.
• HEAD
The HEAD method asks for a response identical to a GET request, but
without the response body.
• POST
The POST method submits an entity to the specified resource, often
causing a change in state or side effects on the server.
• PUT
The PUT method replaces all current representations of the target
resource with the request payload.
HTTP request methods
• DELETE
The DELETE method deletes the specified resource.
• CONNECT
The CONNECT method establishes a tunnel to the server identified by
the target resource.
• OPTIONS
The OPTIONS method describes the communication options for the
target resource.
• TRACE
The TRACE method performs a message loop-back test along the path to
the target resource.
• PATCH
The PATCH method applies partial modifications to a resource.
HTTP Response

• An HTTP response is made by

a server to a client. The aim of
the response is to provide the
client with the resource it
requested or inform the client
that the action it requested has
been carried out; or else to inform
the client that an error
occurred in processing its request.
HTTP Response Status Codes
HTTP response status codes indicate whether a specific HTTP request has been
successfully completed. Responses are grouped in five classes:

• Informational responses (100–199)

• Successful responses (200–299)
• Redirection messages (300–399)
• Client error responses (400–499)
• Server error responses (500–599)

• For more information:

[Link] US/docs/Web/HTTP/Status
HTTP - Header Fields

• HTTP header fields provide required information about the request or

response, or about the object sent in the message body. There are four types
of HTTP message headers:
• General-header: These header fields have general applicability for both
request and response messages.
• Client Request-header: These header fields have applicability only for
request messages.
HTTP - Header Fields

Server Response-header: These header fields have applicability only for

response messages.
Entity-header: These header fields define meta information about the
entity- body or, if nobody is present, about the resource identified by the
request.

For detailed info visit:

[Link]
HTTP vs HTTPS
What is HTTP?
• HTTP stands for Hypertext Transfer Protocol, and it is a protocol—or a
prescribed order and syntax for presenting information—used for
transferring data over a network. Most information that is sent over the
Internet, including website content and API calls, uses the HTTP protocol.

• HTTP requests and responses are sent across the Internet in plaintext.
The problem is that anyone monitoring the connection can read these
plaintexts. This is especially an issue when users submit sensitive data via
a website or a web application. This could be a password, a credit card
number, or any other data typed into a form. Essentially, a malicious actor
can just read the text in the request or the response and know exactly
what information someone is asking for, sending, or receiving, and even
manipulate the communication.

• The answer to above security problem is HTTPS.

What is HTTPS?
• HTTPS stands for Hypertext Transfer Protocol Secure (also referred to as HTTP
over TLS or HTTP over SSL). HTTPS uses TLS (or SSL) to encrypt HTTP requests
and responses, so instead of the plaintext, an attacker would see a series of
seemingly random characters.
• TLS uses a technology called public key encryption: there are two keys, a
public key and a private key. The public key is shared with client devices via
the server's SSL certificate. The certificates are cryptographically signed by a
Certificate Authority (CA), and each browser has a list of CAs it implicitly trusts.
Any certificate signed by a CA in the trusted list is given a green padlock lock in
the browser’s address bar, because it is proven to be “trusted” and belongs to
that domain. Companies like Let’s Encrypt have now made the process of
issuing SSL/TLS certificates free.
What is HTTPS?

When a client opens a connection with a server, each machine needs a

verified identity. So, the two devices use the public and private key to
agree on new keys, called session keys, to encrypt further
communications between them. All HTTP requests and responses are
then encrypted with these session keys, so that anyone who intercepts
communications can only see a random string of characters, not the
plaintext.
Same origin policy
• In computing, the same-origin policy is an
important concept in the web
application security model. Under the policy, a
web browser permits scripts contained in a first
web page to access data in a second webpage,
but only if both web pages have the same
origin.
• The same-origin policy is a web browser
security mechanism that aims to prevent
websites from attacking each other.
• The same-origin policy restricts scripts on one
origin from accessing data from another
origin. An origin consists of a URI scheme,
domain and port number.
Same origin policy
URL accessed Access permitted?
[Link]
Yes: same scheme, domain, and port
[Link]/example/
[Link]
Yes: same scheme, domain, and port
[Link]/example2/
[Link]
No: different scheme and port
[Link]/example/
[Link]
No: different domain
[Link]/example/
[Link]
No: different domain
[Link]/example/
[Link]
No: different port*
[Link]/example/
Why is the same-origin policy necessary?

When a browser sends an HTTP request from one origin to another, any
cookies, including authentication session cookies, relevant to the other
domain are also sent as part of the request. This means that the response will
be generated within the user's session, and include any relevant data that is
specific to the user. Without the same-origin policy, if you visited a malicious
website, it would be able to read your emails from GMail, private messages
from Facebook, etc.
What are cookies?
• Cookies are text files with small pieces of data
— like a username and password — that are used
to identify your computer as you use a computer
network. Specific cookies known as HTTP cookies
are used to identify specific users and improve
your web browsing experience.
• HTTP cookies (also called web cookies, Internet
cookies, browser cookies, or simply cookies) are
small blocks of data created by a web server while
a user is browsing a website and placed on the
user's computer or other device by the user’s web
browser. Cookies are placed on the device used to
access a website, and more than one cookie may
be placed on a user’s device during a session.
Cookies
A biscuit is a little data file that a web server stores on a user's computer
when discussing network security. Cookies are used to keep track of a
user's browsing actions on a website and to preserve session information.

In addition to tracking a user's behavior for marketing and analytics

purposes, websites frequently employ cookies to remember a user's
preferences and login information. A biscuit is sent by a website's web
server to a user's browser during a visit, and the browser keeps the biscuit
on the user's machine. The browser sends the cookie back to the server
the following time the user accesses the page, enabling it to remember
the user's preferences and activities.
Cookies
The security of a network is greatly influenced by cookies. A website may
place little text files called cookies on a user's computer. They are used to
keep track of login information, user preferences, and other information
that can be utilized to improve the user experience. If utilized improperly,
cookies might also pose a security concern. We shall talk about the many
biscuit types in network security in this article.
Session Cookies: Session cookies are the most common type of cookie
used in network security. They are used to store information temporarily
and are deleted when the user closes their browser. Session cookies are
used to remember user information, such as login details, shopping cart
items, and other preferences.
Cookies
Persistent Cookies: Persistent cookies are cookies that are stored on a user's
computer for a longer period of time. They are used to remember user
preferences and login information, even after the user closes their
browser. Persistent cookies are commonly used by websites to track user
behavior and deliver personalized content.

Secure Cookies: Secure cookies are cookies that are only transmitted over a
secure HTTPS connection. They are used to prevent unauthorized access
to sensitive data, such as login credentials and payment information.
Secure cookies are commonly used by financial institutions and other
organizations that handle sensitive data.
Cookies
HttpOnly Cookies: HttpOnly cookies are cookies that are only accessible
through HTTP or HTTPS protocols. They cannot be accessed by client-
side scripts, such as JavaScript, which can help prevent cross-site
scripting (XSS) attacks. HttpOnly cookies are commonly used by
websites to store session IDs and other sensitive data.

Third-Party Cookies: Third-party cookies are cookies that are set by a

domain other than the one that the user is visiting. They are
commonly used by advertisers and analytics providers to track user
behavior across multiple websites. Third-party cookies are often
blocked by default in modern web browsers due to privacy concerns.
What is a SESSION?

• In computer science and networking in particular, a session is a temporary

and interactive information interchange between two or more
communicating devices, or between a computer and user. A session is
established at a certain point in time, and then ‘torn down’ - brought to an
end - at some later point.
• A web session is a series of contiguous actions by a visitor on an individual
website within a given time frame. This could include your search engine
searches, filling out a form to receive content, scrolling on a website page,
adding items to a shopping cart, researching airfare, or which pages you
viewed on a single website. Any interaction that you have with a single
website is recorded as a web session to that website property.
What are cookies and sessions?
• A cookie is a small piece of data from a web site that is stored on a visitor’s
browser to help the website track the visitor’s activity on the web site.
Sessions and cookies are sometimes conflated, creating confusion. More
specifically, session IDs and cookie IDs are confused. While they are closely
related, they are not the same thing. A cookie identifies, often anonymously, a
specific visitor or a specific computer. Cookies can be used for authentication,
storing site preferences, saving shopping carts, and server session
identification

• By knowing who is visiting a site and what they’ve done before, web
developers can customize pages to create a personalized web experience. For
example, a cookie may store information such as your name and preferences
that it gathered when you filled out a form, then use that information to
populate pages you visit throughout one or multiple web sessions.
Web Application Proxy
• Web Application Proxy is a service in Windows Server 2012 R2 that
allows end users to access applications from outside the corporate
network on any device.
• According to Microsoft, Web Application Proxy pre-authenticates
application access with Active Directory Federation Services (ADFS) and
also provides reverse proxy functionality. Web Application Proxy should
always be deployed with ADFS, but it can also be deployed with a VPN in
an organization's Remote Access deployment.
• Web Application Proxy works in two main ways. It makes organizations
capable of giving end users outside of an organization selective access
to applications that run on servers in the organization. It also serves as
a barricade between corporate applications and the Internet.
What is Burp Suite?
Burp or Burp Suite is a set of tools used for penetration testing of web
applications. It is developed by the company named Portswigger, which is also the
alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools
and its capabilities can be enhanced by installing add-ons that are called BApps.

It is the most popular tool among professional web app security researchers and
bug bounty hunters. Its ease of use makes it a more suitable choice over free
alternatives like OWASP ZAP. If you are a complete beginner in Web Application
Pentest/Web App Hacking/Bug Bounty, we would recommend you to just read
through without thinking too much about a term.
Burp Suite
Spider: It is a web spider/crawler that is used to map the target web application.
The objective of the mapping is to get a list of endpoints so that their
functionality can be observed and potential vulnerabilities can be found.
Spidering is done for a simple reason that the more endpoints you gather during
your recon process, the more attack surfaces you possess during your actual
testing.

Proxy: BurpSuite contains an intercepting proxy that lets the user see and modify
the contents of requests and responses while they are in transit. It also lets the
user send the request/response under monitoring to another relevant tool in
BurpSuite, removing the burden of copy-paste. The proxy server can be adjusted
to run on a specific loop-back ip and a port. The proxy can also be configured to
filter out specific types of request-response pairs.
Burp Suite
Intruder:

It is a fuzzer. This is used to run a set of values through an input point. The
values are run and the output is observed for success/failure and content
length. Usually, an anomaly results in a change in response code or content
length of the response. BurpSuite allows brute-force, dictionary file and
single values for its payload position. The intruder is used for:
 Brute-force attacks on password forms, pin forms, and other such forms.
 The dictionary attack on password forms, fields that are suspected of
being vulnerable to XSS or SQL injection.
 Testing and attacking rate limiting on the web-app.
Burp Suite
Repeater: Repeater lets a user send requests repeatedly with manual
modifications. It is used for:

❖ Verifying whether the user-supplied values are being verified.

❖ If user-supplied values are being verified, how well is it being done?
❖ What values is the server expecting in an input parameter/request header?
❖ How does the server handle unexpected values?
❖ Is input sanitation being applied by the server?
❖ How well the server sanitizes the user-supplied inputs?
❖ What is the sanitation style being used by the server?
❖ Among all the cookies present, which one is the actual session cookie.
❖ How is CSRF protection being implemented and if there is a way to bypass it?
Burp Suite
Decoder: Decoder lists the common encoding methods like URL, HTML, Base64, Hex,
etc. This tool comes handy when looking for chunks of data in values of parameters
or headers. It is also used for payload construction for various vulnerability classes. It
is used to uncover primary cases of IDOR and session hijacking.
Extender: BurpSuite supports external components to be integrated into the tools
suite to enhance its capabilities. These external components are called BApps. These
work just like browser extensions. These can be viewed, modified, installed,
uninstalled in the Extender window. Some of them are supported on the community
version, but some require the paid professional version.
Scanner: The scanner is not available in the community edition. It scans the website
automatically for many common vulnerabilities and lists them with information on
confidence over each finding and their complexity of exploitation. It is updated
regularly to include new and less known vulnerabilities.
Thank you!
[Link]