Web Application Security
OWASP Top 10, XSS, CSRF, SQL injection, and secure coding practices.
Overview
Web application security protects against attacks on web services.
OWASP Top 10 (2021)
- Broken Access Control — Unauthorized access
- Cryptographic Failures — Weak encryption
- Injection — SQL, NoSQL, OS, LDAP injection
- Insecure Design — Missing security controls
- Security Misconfiguration — Default settings
- Vulnerable Components — Outdated libraries
- Authentication Failures — Weak credentials
- Software Integrity Failures — Unsigned updates
- Logging Failures — Insufficient monitoring
- SSRF — Server-side request forgery
Cross-Site Scripting (XSS)
Types
- Reflected XSS — URL parameters
- Stored XSS — Database content
- DOM XSS — Client-side JavaScript
Prevention
// Input validation
function sanitizeInput(input) {
return input.replace(/[<>'"]/g, '');
}
// Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self'
// Output encoding
function escapeHtml(text) {
const div = document.createElement('div');
div.textContent = text;
return div.innerHTML;
}
SQL Injection
Vulnerable Code
# DON'T DO THIS
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
Secure Code
# Parameterized query
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))
CSRF Protection
# Generate CSRF token
import secrets
csrf_token = secrets.token_hex(32)
# Add to form
<form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
</form>
# Validate on server
if request.form['csrf_token'] != session['csrf_token']:
abort(403)
Security Headers
Architecture Diagram
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Practice
Test a web application for OWASP Top 10 vulnerabilities using DVWA.