Web Security Fundamentals

Understanding the Modern Web Application

Landscape
Before diving into specific security concepts, it's helpful to understand
what makes modern web applications different from traditional
software:
• They're accessible from anywhere with an internet connection
• They often connect multiple services through APIs
• They frequently process and store sensitive user data
• They regularly update without user intervention
• They commonly integrate third-party components and libraries
Understanding the Modern Web Application
Landscape Contd…
They’re accessible from anywhere with an internet connection
• Old software = you had to install it on your PC.
• Modern web apps = just open a browser (like Chrome) and log in.
• Example: You can open Gmail from your phone, laptop, or cyber café
— same app, no installation.
This makes life easy, but also means hackers from anywhere in the
world can try to attack it.
Understanding the Modern Web Application
Landscape Contd…
They often connect multiple services through APIs
• An API is like a waiter in a restaurant — it carries your request to the
kitchen and brings back your food.
• Apps use APIs to talk to each other.
• Example: When you book an Uber, it uses APIs to:
• Get maps from Google
• Process payment from Paytm/UPI
• Send you SMS notifications.
If APIs are not secured, hackers can misuse them to steal data.
Understanding the Modern Web Application
Landscape Contd…
They frequently process and store sensitive user data
• Modern apps deal with private info like:
• Passwords
• Credit card numbers
• Health records
• Example: Amazon stores your address and card details to make
checkout faster.
If not secured, this data can be leaked or stolen.
Understanding the Modern Web Application
Landscape Contd…
They regularly update without user intervention
• Old software needed manual updates (e.g., install from a CD or
download patch).
• Modern apps update automatically on servers.
• Example: Facebook/Instagram changes features or fixes bugs without
you doing anything.
Good for fixing bugs quickly, but a bad update can spread problems
instantly to all users.
Understanding the Modern Web Application
Landscape Contd…
They commonly integrate third-party components and libraries
• Developers rarely build everything from scratch.
• They use ready-made packages (like Lego blocks).
• Example: A shopping website may use:
• Stripe for payments
• Google Maps plugin for location
• Bootstrap library for design.
If these third-party tools have vulnerabilities, the main app also becomes
vulnerable.
Fundamental #1: HTTP Protocol Security Basics
Key concepts to master:
• Request and response structure
• HTTP methods (GET, POST, PUT, DELETE, etc.)
• Status codes and their meanings
• Headers and their security implications
• Cookies and how they maintain state
• HTTPS and TLS/SSL principles
Fundamental #1: HTTP Protocol Security Basics Contd..

Request and Response Structure

• A request is what your browser sends to a server.
• A response is what the server sends back.
• Example:
• Request: “Give me Gmail inbox”
• Response: Gmail page with your emails.
Think of it like ordering food in a restaurant: you ask (request), waiter brings
food (response).
Fundamental #1: HTTP Protocol Security Basics Contd..

HTTP Methods (GET, POST, PUT, DELETE, etc.)

• GET → Just fetch data (like reading a web page).
• POST → Send new data (like submitting a login form).
• PUT → Update existing data (like editing your profile picture).
• DELETE → Remove data (like deleting a post).
Methods are like actions: read, write, update, delete.
Fundamental #1: HTTP Protocol Security Basics Contd..

Status Codes and Their Meanings

• Numbers that show what happened to your request.
• Common ones:
• 200 OK → Success
• 404 Not Found → Page doesn’t exist
• 403 Forbidden → You don’t have permission
• 500 Internal Server Error → Problem on the server side
Fundamental #1: HTTP Protocol Security Basics Contd..

Headers and Their Security Implications

• Headers are extra information sent along with requests and
responses.
• Example:
• Content-Type: text/html → tells browser it’s an HTML page
• Set-Cookie: session info
• Security Headers:
• X-Frame-Options → stop clickjacking
• Content-Security-Policy → block malicious scripts
They are like labels on a parcel telling how to handle it safely.
Fundamental #1: HTTP Protocol Security Basics
Contd..
Security Headers (Very Important)
1.X-Frame-Options
•Prevents clickjacking attacks (attackers trick you into clicking hidden buttons in an iframe).
•Example:
•X-Frame-Options: DENY → This page cannot be shown inside another page.
2.Content-Security-Policy (CSP)
•Protects against XSS (Cross-Site Scripting) by controlling what scripts can run.
•Example:
•Content-Security-Policy: script-src 'self' → Only scripts from the same website can run.
3.Strict-Transport-Security (HSTS)
•Forces the browser to always use HTTPS instead of HTTP.
•Example:
•Strict-Transport-Security: max-age=31536000 → Always use HTTPS for 1 year.
4.X-Content-Type-Options
•Prevents browsers from guessing the file type incorrectly.
•Example:
•X-Content-Type-Options: nosniff → Don’t try to guess file type, just follow the Content-Type header.
Fundamental #1: HTTP Protocol Security Basics Contd..

Cookies and How They Maintain State

• Cookies are small data files stored in your browser.
• They remember things like:
• Your login session
• Items in shopping cart
• Example: When you stay logged in to Facebook without re-entering
your password, that’s cookies at work.
If cookies are not secure, hackers can steal them and impersonate
you.
Fundamental #1: HTTP Protocol Security Basics Contd..

HTTPS and TLS/SSL Principles

• HTTP = plain text → hackers can read it.
• HTTPS = encrypted with SSL/TLS → safe communication.
• Example:
• HTTP: sending password → hacker can see it.
• HTTPS: password scrambled (encrypted) → hacker sees nonsense.
• Lock symbol in browser = HTTPS enabled.
It’s like sending a message in a sealed envelope instead of a postcard.
Practical application:
• Start by using browser developer tools to inspect HTTP traffic on
websites you visit. Next, learn to use a proxy tool like OWASP ZAP or
Burp Suite (free community edition) to intercept, analyze, and modify
requests between your browser and web servers.
• This knowledge helps you understand how attackers can manipulate
communications between clients and servers, and forms the
foundation for nearly all web security testing.
Free Learning Resources:

• Mozilla Developer Network (MDN) HTTP Documentation -

Comprehensive guides on HTTP fundamentals
• OWASP ZAP Getting Started Guide - Learn how to use this free
intercepting proxy
• PortSwigger Web Security Academy: HTTP - Free interactive labs on
HTTP basics
Fundamental #2: Authentication and Session
Management
Key concepts to master:

• Authentication methods (password-based, MFA, OAuth, etc.)

• Common authentication bypass techniques
• Session tokens and how they work
• Session fixation, hijacking, and other attacks
• Secure password storage practices
• Token-based authentication systems (JWT, SAML)
Fundamental #2: Authentication and Session Management
Contd..
Authentication Methods (How you prove your identity)
• Password-based → You log in with username + password.
• MFA (Multi-Factor Authentication) → You add another step (OTP,
fingerprint, SMS code).
• OAuth (Login with Google/Facebook) → Instead of creating a new
account, you use your existing Google/Facebook login.
Fundamental #2: Authentication and Session Management
Contd..
Common Authentication Bypass Techniques (How attackers trick the
system)
• Brute Force → Keep guessing passwords until one works.
• SQL Injection → Inject malicious code into login form to bypass
password.
• Default Credentials → Using factory-set usernames/passwords (like
admin/admin).
• Weak Session Management → Stealing cookies to skip login.
Fundamental #2: Authentication and Session Management
Contd..
Session Tokens and How They Work
• When you log in, server gives you a session token (like a unique ID).
• Browser keeps sending this token with every request.
• As long as the token is valid, you stay logged in.
Fundamental #2: Authentication and Session Management
Contd..
Session Fixation, Hijacking, and Other Attacks
• Session Fixation → Attacker tricks you into using a pre-defined
session ID.
• Session Hijacking → Attacker steals your valid session ID (from
cookies) and pretends to be you.
• Replay Attack → Attacker reuses an old valid session/token.
Fundamental #2: Authentication and Session Management
Contd..
Secure Password Storage Practices
• Don’t store passwords in plain text.
• Use hashing (convert password into scrambled text) → e.g., SHA-256,
bcrypt.
• Add salt (random extra string) to make it harder to crack.
Fundamental #2: Authentication and Session Management
Contd..
Token-based Authentication Systems (JWT, SAML)
• Instead of session cookies, some systems use tokens that carry login
info.
• JWT (JSON Web Token): Compact, JSON-based token, often used in
APIs.
• SAML (Security Assertion Markup Language): XML-based token, used
in Single Sign-On (SSO) for enterprises.
Practical application:
• Create simple authentication systems in development environments
to understand how they work internally. Study how popular
frameworks implement authentication and session management.
Look for opportunities to examine session cookies and authentication
tokens in applications you use regularly.
• This knowledge helps you identify when applications aren't properly
validating identity or maintaining session state, which can lead to
unauthorized access.
Free Learning Resources:

• OWASP Authentication Cheat Sheet - Best practices for

implementing authentication securely
• OWASP Session Management Cheat Sheet - Guidelines for secure
session handling
• Auth0 Blog: Authentication Tutorials - Free tutorials on various
authentication methods
Fundamental #3: Input Validation and Output
Encoding
Input Validation and Output Encoding
Input Validation (Check the input before using it)
• Input validation means: “Never trust user input until you check it.”
• Attackers often type malicious code instead of normal data into
forms (like login, search, feedback).
• If we validate properly, we can stop these attacks.
Input Validation and Output Encoding Contd..

Types of attacks prevented:

•SQL Injection: Attacker puts SQL code into a form to hack the database.
•Example: username = 'admin' OR '1'='1' → login without password.
•Fix: Accept only expected values, use parameterized queries.

•Cross-Site Scripting (XSS): Attacker injects a <script> tag into comments or forms → browser runs it.
•Example: <script>alert('Hacked!')</script>
•Fix: Validate inputs, don’t allow script tags.

•Command Injection: Attacker puts OS commands in input fields.

•Example: ; rm -rf / → deletes files on the server.
•Fix: Allow only safe inputs (e.g., numbers only for age field).
Input Validation and Output Encoding Contd..

•Even if bad input slips through, output encoding ensures it cannot execute as code.
•It changes dangerous characters into safe symbols.

Example:
•Input: <script>alert('Hacked!')</script>
•Without encoding → browser runs it (XSS).
•With encoding → browser shows it as plain text (&lt;script&gt;alert('Hacked!')&lt;/script&gt;)
instead of executing.
Key concepts to master:

• Cross-Site Scripting (XSS) and prevention methods

• SQL injection and parameterized queries
• Command injection principles
• Client-side vs. server-side validation
• Input sanitization techniques
• Context-appropriate output encoding
Practical application:
• Practice creating forms that properly validate input. Set up
deliberately vulnerable applications like DVWA or Juice Shop in a safe
environment and practice exploiting and fixing input validation flaws.
Study how frameworks handle input validation and output encoding.
• This knowledge helps you identify when applications trust user input
without proper validation, which can lead to data breaches and
system compromise.
Free Learning Resources:
• OWASP Juice Shop - A modern vulnerable web application for
practicing input validation flaws
• OWASP XSS Prevention Cheat Sheet - Comprehensive guide to
preventing XSS
• PortSwigger Web Security Academy: SQL Injection - Free interactive
labs for learning SQL injection
Fundamental #4: Security Testing Fundamentals
Key concepts to master:

• Black box vs. gray box vs. white box testing

• Manual vs. automated testing approaches
• Security testing methodologies (OWASP Testing Guide)
• Basic usage of common security testing tools
• Reading and understanding vulnerability reports
• Severity assessment and risk prioritization
Practical application:
• Start with simple security tools like OWASP ZAP and browser
extensions that help identify basic vulnerabilities. Progress to more
comprehensive tools as your knowledge grows. Practice writing clear
vulnerability reports that explain both the technical issue and
business impact.
• This knowledge helps you verify whether security controls are
working effectively and communicate security issues to both technical
and non-technical audiences.
Free Learning Resources:

• OWASP Testing Guide - Comprehensive methodology for testing web

applications
• TryHackMe - Free rooms for practicing security testing skills
• HackTheBox - Free starting points and challenges for hands-on
learning
Fundamental #5: Secure Development Principles
Key concepts to master:

• Security requirements and user stories

• Threat modeling basics
• Secure coding guidelines
• Security code review techniques
• DevSecOps fundamentals
• Security testing in CI/CD pipelines
Practical application:
• Study secure coding guidelines specific to common web development
languages. Practice reviewing code for security issues in open-source
projects. Learn how to integrate security checks into build processes.
• This knowledge helps you shift security left in the development
process, catching issues earlier when they're less expensive to fix.
Free Learning Resources:

• OWASP Secure Coding Practices - Quick reference guide for secure

development
• GitHub Security Lab - Free articles and tutorials on secure coding
• Snyk Learn - Free lessons on secure development practices for
various languages
Building Your Learning Roadmap

Now that you understand the five fundamental areas to focus on, here's how
to structure your learning:
• Start with HTTP basics - This underpins everything in web security
• Move to authentication and session management - This represents a
major attack surface
• Learn input validation and output encoding - This prevents most common
vulnerabilities
• Develop security testing skills - This helps you verify your understanding
• Study secure development practices - This helps you integrate with
development teams
Additional Free Comprehensive Resources

• freeCodeCamp Information Security Certification - Free

comprehensive course covering many security fundamentals
• Cybrary - Free cybersecurity courses with web security components
• Web Security Academy - Comprehensive free labs for all skill levels
• OWASP WebGoat - Deliberately insecure application for learning
• Awesome AppSec - Curated list of application security resources
Sandboxing in Computer Security: Containing Threats
and Ensuring Safety.

• Sandboxing is a security mechanism and a software technique

used to isolate and contain untrusted or potentially harmful
code, applications, or processes within a restricted and
controlled environment, often referred to as a "sandbox." This
isolation prevents the untrusted code from affecting the host
system or other applications, enhancing security and minimizing
the impact of security vulnerabilities and threats. Sandboxing is
commonly employed in computer systems, web browsers,
mobile operating systems, and various other software
environments to maintain the integrity and safety of the overall
system.
•
Key Components
A sandbox is essentially four key components:
• Isolation: Sandboxing isolates the application from the underlying operating
system and other applications. This isolation ensures that even if the application
is compromised, it cannot affect other parts of the system.
• Resource control: Sandboxing controls the resources available to the application,
such as file system access, network communication, and system calls. By limiting
these resources, sandboxing reduces the attack surface and prevents
unauthorized actions.
• Monitoring: Sandboxing often includes monitoring mechanisms to track the
behavior of the application. Any suspicious activity can be detected in real-time,
allowing for immediate response and mitigation.
• Access controls: Sandboxing enforces access controls to restrict the application's
privileges. It follows the principle of least privilege, ensuring that the application
only has access to the resources necessary for its functionality
Why We Need Sandboxes:

• Security Isolation: Sandboxing provides a secure and isolated environment

for running untrusted code or applications. This isolation ensures that
malicious or faulty software cannot harm the host system or other
applications.
• Malware Protection: It serves as an effective defense against malware by
containing malicious code within the sandbox. This containment prevents
malware from spreading, stealing data, or damaging the system.
• Web Browsing Security: Web browsers use sandboxes to isolate individual
tabs or websites. This limits the impact of malicious websites and browser
extensions, protecting users from web-based threats.
• Mobile App Security: Mobile operating systems utilize sandboxing to
confine each app, preventing them from interfering with other apps or the
core system. This is crucial for safeguarding user data and privacy.
Why We Need Sandboxes:

• Software Development and Testing: Developers use sandboxes to

test and debug software without affecting the stability of the host
system. Sandboxing provides a controlled environment for identifying
and addressing issues in the development process.
• Malware Analysis: Security experts use sandboxes to analyze and
study malware in a controlled environment, allowing them to
understand its behavior without risking their own systems.
Sandbox Architecture:

The architecture of a sandbox can vary depending on its use case, but here are some
common components and principles:
• Isolation Boundary: The core concept of a sandbox is the isolation boundary that
separates the sandboxed environment from the host system. This boundary is typically
enforced through various security mechanisms.
• Access Controls: Sandboxes implement access controls to restrict what resources and
capabilities the sandboxed code can access. This includes limiting access to system files,
network resources, and hardware devices.
• Resource Limitation: Resource limitations are often imposed to prevent resource abuse
by the sandboxed code. This includes capping memory usage, CPU usage, and storage
space.
• Security Policies: Sandboxes define and enforce security policies that dictate what
actions the code within the sandbox can perform. These policies may include restrictions
on network communication, access to sensitive data, and system changes.
Sandbox Architecture:

• Interprocess Communication (IPC): In some cases, sandboxes allow controlled communication

between the sandboxed environment and the host system or other sandboxes. This is crucial for
legitimate interprocess communication while maintaining security.
• Monitoring and Reporting: Sandboxes often include monitoring and reporting mechanisms to
detect and report suspicious or malicious behavior within the sandbox. This can help security
professionals analyze potential threats.
• Virtualization or Containerization: Some sandboxes use virtualization or containerization
technologies to create separate virtual machines or containers for running code. This provides
strong isolation and separation between the sandboxed environment and the host system.
• Layered Security: Multiple layers of security are typically implemented in sandboxes to ensure
robust protection. These layers may include code analysis, behavior monitoring, and signature-
based detection.
• User Interaction Controls: For sandboxes in web browsers or mobile apps, controls are in place to
manage user interactions with the sandboxed content, ensuring that the user is not exposed to
potential threats.
How can you identify and mitigate client-server security
vulnerabilities?

• Assess your network environment

• Implement encryption and authentication

• Use firewalls, VPNs, and IDS/IPS

• Apply patches and updates

• Monitor and audit your network

Assess your network environment

Assessing your current environment and identifying potential

vulnerabilities is the first step to securing your client-server
network. You can use a variety of tools and methods to perform a
network assessment, such as scanning devices and ports for
open or misconfigured services, protocols, or applications,
analyzing the network topology and architecture for weak points
or bottlenecks, reviewing policies and procedures for compliance
and consistency, and testing security controls and defenses for
effectiveness and efficiency. By doing so, you can prioritize your
security needs and goals, as well as plan your mitigation
strategies accordingly.
Implement encryption and authentication

Securing your client-server network is essential, and one of the most

important aspects is to ensure that the data transmitted between
clients and servers is encrypted and authenticated. Encryption
prevents eavesdropping and tampering of your data by using a secret
key, while authentication verifies the identity and legitimacy of the
parties involved with passwords, certificates, tokens, or other
methods. To implement encryption and authentication protocols for
your client-server network, you can use Secure Sockets Layer (SSL)
or Transport Layer Security (TLS) for web-based applications, Secure
Shell (SSH) for remote access and administration, Kerberos for
distributed authentication and authorization, or IPsec for secure IP
communication. These protocols will help protect the confidentiality,
integrity, and authenticity of your network data and resources.
Use firewalls, VPNs, and IDS/IPS
To protect your client-server network, it is essential to secure the
network perimeter and traffic from external and internal attacks.
Firewalls, Virtual Private Networks (VPNs), and Intrusion Detection
Systems (IDS) or Intrusion Prevention Systems (IPS) are all useful tools
and technologies to enhance your network security. Firewalls can filter
and control incoming and outgoing network traffic based on predefined
rules and policies, while VPNs can create secure and encrypted tunnels
for remote access over public networks. IDS/IPS can monitor and
analyze network traffic for signs of malicious or anomalous activity,
alerting or blocking any attacks. These measures will help you prevent
or mitigate the impact of network threats, such as denial-of-service,
man-in-the-middle, or malware.
Apply patches and updates
One of the most common causes of client-server security vulnerabilities
is the lack of patches and updates for your client-server software and
hardware. Applying patches and updates is essential for fixing bugs,
improving performance, and addressing security issues that could
expose your network to exploits and vulnerabilities. This should include
operating system patches and updates for your client and server
machines, application patches and updates for your client and server
software, as well as firmware patches and updates for your network
devices and equipment. Doing so will help you keep your client-server
network up to date and secure from known or emerging threats.
Monitor and audit your network
The final step to securing your client-server network is to monitor
and audit your network activity and performance on a regular
basis. This will help you to detect and respond to any network
incidents or breaches, measure and evaluate your network
security posture and effectiveness, identify and resolve any
network issues or problems, as well as improve and optimize
your security policies and procedures. Various tools and methods
can be used for monitoring and auditing, such as network
monitoring and management tools for tracking and reporting
status, security tools for scanning and testing controls, as well as
logging and auditing tools for collecting and analyzing events.
Ultimately, monitoring and auditing will help you maintain and
improve the security and reliability of your client-server network.