The Web is a vast cyberspace that is publically available and [mostly] accessible for all people anytime and from any location. Another important characteristic of the Web is the anonymity it gives for people. When we go online, we become this faceless, nameless person. This anonymity seems to give some people a pass to do things that they wouldn't otherwise.

The openness of the Web and the anonymity it provides, fosters a environment for malicious behavior. As a result, public websites present rich attack surface, but also, some websites are the object (tool) by which many attackers strike. As individuals, we are concerned about our safety and privacy, and as websites owners, we must actively protect the confidentiality, integrity, and availability of our information assets online.

A subject of attack is the target. So when a website is the subject of attack, the attacker would try to do something malicious to the website. An object of attack is the tool utilized in initiating or performing the action of the attack. When a website is the object of the attack, it sends the client malicious code.

Figure 2.1: Web Anonymity

As discussed earlier, people access websites through web browsers. The server is waiting and listening to our requests. Users' personal computers receive web pages along with related artifacts (client-side stuff). This request-response model assumes mutual trust between the participants (client and server). However, quite often, this trust is misused from both parties. An attacker can send malicious content to the server within the HTTP request. And a malicious website can send intrusive content back to us (the client) within the HTTP response.

The inherent problem of the Web is that [web] traffic is flowing in and out between the client and the server. Ports on both sides are open and ready to accept web traffic. Therefore, security tools, like the firewall, may not protect against web attacks since they are configured to let web traffic through. On the server, for instance, ports 80 (HTTP) and 443 (HTTPS) are open otherwise the website is inaccessible (which would defeat its purpose).

Some might think that security measures taken to protect organizational infrastructure is enough to protect the web application against attacks. The reality is, web apps are attacked at the application level. In other words, attackers target the web server posing as legitimate website users.

Also, such measures as using HTTPS and Secure Socket Layer (SSL) to encrypt web traffic, only protects data while its on-the-move between the client and the server (or vice versa) but not while the data is sitting on either sides.

Security breaches in web applications may lead to serious implications. An organization's website is its public front and therefore a lot is at stake. Here are some possible implications:

• Unauthorized access to data (information confidentiality)
• Unauthorized data change (information integrity)
• Denial of Service (information availability)
• Theft of identity or money
• Website defacement

There are few organizations that provide World Wide Web security information, guidelines, and best-practices. To name a few: OWASP, NIST, WASC, etc.

• Threat: A threat is a potential violation of security. The source of a threat can be a person (e.g., hacker, employee), or an incident (e.g., power failure).
• Impact: The impact of an event (e.g. an attack) is defined as the "consequences for an organization or environment when an attack is realized, or weakness is present." [3]
• Attack: An attack is "a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation" [3]. Bu definition, and attack may, or may no, be successful.
• Weakness: A weakness is "a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. This term applies to mistakes regardless of whether they occur in implementation, design, or other phases of the SDLC." [4]
• Vulnerability: A vulnerability is "an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness." [4]
• Authentication: Authentication is the process of verifying the true identity of an actor by checking his or her credentials such as username and password.
• Authorization: Authorization is the process of determining whether an actor is allowed to access a resource of perform an action. Authorization typically comes after authentication and is all about Access Control.

Figure 2.2: Authentication

WASC, or the Web Application Security Consortium, is a not-for-profit charitable organization made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and agreed upon best-practice security standards for the World Wide Web [3]. WASC feature articles, guidelines, and projects related Web security.

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing, and reporting [3]. The course covers some of these tools.

The WASC Threat Classification (TC) clarifies and organizes the threats to the security of a web site. The aim of the project is to "develop and promote industry standard terminology for describing these issues" [3]. WASC TC provides a reference to security threats by classifying them as attacks (e.g. a brute force attack on the login page of a website), and weaknesses (e.g. server misconfiguration where the admin left few defaults unchanged).

• Cross-Site Scripting (XSS): is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
• SQL Injection: is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
• Buffer Overflow: A Buffer Overflow is a flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold. Exploiting a buffer overflow allows an attacker to modify portions of the target process’ address space.
• Fingerprinting: The most common methodology for attackers is to first footprint the target's web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host.
• Path Traversal: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
• Denial of Service (DoS): is an attack technique with the intent of preventing a web site from serving normal user activity. DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality.

• Server Misconfiguration: attacks exploit configuration weaknesses found in web servers and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and web pages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
• Directory Indexing: Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html / home.html / default.htm / default.asp / default.aspx / index.php) is not present.
• Insufficient Authentication: occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.
• Insufficient Authorization: results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.
• Improper Input Handling: is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications. Generally, the term input handing is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data.
• Improper Output Handling: Output handling refers to how an application generates outgoing data. If an application has improper output handling, the output data may be consumed leading to vulnerabilities and actions never intended by the application developer. In many cases, this unintended interpretation is classified as one or more forms of critical application vulnerabilities.

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. The Information Technology Laboratory (ITL) is one of NIST’s six research laboratories that focuses on IT measurements, testing, and standards, and is a globally recognized and trusted source of high-quality, independent, and unbiased research and data. [5]

NIST provides information and guidelines in the form of online publications. In the are of Web Security, publication SP 800-44 provides guidelines on Securing Public Web Servers, and pubblication SP 800-95 is a guide to Secure Web Services.

OWASP, or the Open Web Application Security Project, is a "worldwide not-for-profit charitable organization focused on improving the security of software." Their mission is "to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks" [6] OWASP feature many resources, guidelines, and projects related to Web security. The most relevant to this course is the OWASP Top 10 project.

"The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are" [6] Security flaws discussed in this course are based on the OWASP Top 10 project.