Web Application Security
OWASP Top 10, XSS, CSRF, SQL injection, and secure coding practices.
Overview
Web application security protects against attacks on web services.
OWASP Top 10 (2021)
- Broken Access Control β Unauthorized access
- Cryptographic Failures β Weak encryption
- Injection β SQL, NoSQL, OS, LDAP injection
- Insecure Design β Missing security controls
- Security Misconfiguration β Default settings
- Vulnerable Components β Outdated libraries
- Authentication Failures β Weak credentials
- Software Integrity Failures β Unsigned updates
- Logging Failures β Insufficient monitoring
- SSRF β Server-side request forgery
Cross-Site Scripting (XSS)
Types
- Reflected XSS β URL parameters
- Stored XSS β Database content
- DOM XSS β Client-side JavaScript
Prevention
// Input validation
function sanitizeInput(input) {
return input.replace(/[<>'"]/g, '');
}
// Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self'
// Output encoding
function escapeHtml(text) {
const div = document.createElement('div');
div.textContent = text;
return div.innerHTML;
}
SQL Injection
Vulnerable Code
# DON'T DO THIS
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
Secure Code
# Parameterized query
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))
CSRF Protection
# Generate CSRF token
import secrets
csrf_token = secrets.token_hex(32)
# Add to form
<form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
</form>
# Validate on server
if request.form['csrf_token'] != session['csrf_token']:
abort(403)
Security Headers
Architecture Diagram
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Practice
Test a web application for OWASP Top 10 vulnerabilities using DVWA.