Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.
Design Web Application Security Architecture:
A typical web application architecture contains 3 tiers, separating the externally-facing
web server from the internal application server and database server. With a tier-based
architecture such as this, even if an attacker compromises an externally-facing web server
from the outside, they still have to find ways to gain access and attack the internal
network. This is the principle of defence-in-depth protection. Defence-in-Depth is a
practical approach to information security. The fundamental concept always centres on
the idea of multiple layers of security to protect vital assets. Layers of security include
input validation, database layer abstraction, server configuration, proxies, web application
firewalls, data encryption, OS hardening, and so on.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application.
- SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
- SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
- The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.