Intro to Web Application Security Basics

Web application security is the practice of protecting websites, web applications, and web services from cyber threats. It spans the entire stack: browser, network, application server, business logic, database, third-party integrations, and the people who build and maintain everything.

Every web application transmits data between a client (usually a browser) and a server. The client sends HTTP requests; the server returns responses. Modern apps add complexity with single-page architectures, REST and GraphQL APIs, WebSockets, server-sent events, and rich JavaScript frameworks. Each layer introduces opportunities for misconfiguration and abuse.

Three properties form the foundation, often called the CIA triad. Confidentiality keeps data away from unauthorized eyes. Integrity ensures data is not modified in transit or at rest. Availability keeps the application reachable and functional. A complete defense addresses all three.

Authentication answers "who are you?" Authorization answers "what are you allowed to do?" These two are frequently confused but distinct. Many real-world breaches stem from broken authorization where an authenticated user can act on data they should not access.

Trust boundaries are central to web security thinking. Any data coming from the user, whether through forms, URLs, headers, cookies, or files, is untrusted. Any data leaving the application toward users must be properly encoded for its destination. Failing to enforce these boundaries causes most of the bugs in the OWASP Top 10.

The Open Worldwide Application Security Project maintains a list of the most critical web application security risks, updated every few years. The current Top 10 is essential reading for every developer.

Broken Access Control sits at the top. It covers cases where users can access functions or data outside their permissions, such as changing a URL parameter to view another user's invoice. This category includes Insecure Direct Object References (IDOR) and missing function-level authorization.

Cryptographic Failures cover weak encryption, missing TLS, hard-coded keys, weak random number generation, and storing sensitive data in plaintext. The remedy is not "more crypto" but the right crypto, used correctly.

Injection vulnerabilities remain pervasive. SQL injection, command injection, NoSQL injection, and LDAP injection all happen when user input is concatenated into queries or commands. Parameterized queries and safe APIs prevent these issues.

Insecure Design highlights flaws baked into architecture: missing rate limits, no out-of-band verification on sensitive actions, or business logic that lets users bypass intended workflows. These cannot be patched away; they require redesign.

Security Misconfiguration includes default credentials, verbose error messages, unnecessary services, missing security headers, and unpatched software. It is among the easiest categories to exploit and to fix.

Vulnerable and Outdated Components covers libraries, frameworks, and dependencies with known CVEs. Tools like Dependabot, Snyk, and OWASP Dependency-Check can surface these continuously.

Identification and Authentication Failures include weak passwords, missing MFA, brittle password recovery, and session management bugs. They drive a huge portion of credential stuffing and account takeover attacks.

Software and Data Integrity Failures cover unsigned updates, untrusted deserialization, and CI/CD pipeline tampering. Supply chain attacks like SolarWinds live in this category.

Security Logging and Monitoring Failures means the application cannot detect or respond to attacks because it does not log relevant events or no one is watching the logs.

Server-Side Request Forgery (SSRF) lets an attacker make the server send requests to internal endpoints, sometimes reaching cloud metadata services and stealing credentials.

Cross-Site Scripting (XSS) lets an attacker run JavaScript in another user's browser. Reflected XSS occurs when input is echoed straight back in a response, often via URL parameters. Stored XSS persists, such as in a comment that runs malicious script for every visitor. DOM-based XSS happens entirely client side when JavaScript inserts untrusted data into the DOM. The defense is contextual output encoding and Content Security Policy (CSP).

SQL Injection sends crafted input that changes the meaning of a SQL query. A login that builds the query with string concatenation can be bypassed by typing ' OR '1'='1 as the password. Modern frameworks support parameterized queries that eliminate the risk entirely.

Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into sending an unwanted request, such as transferring money. Defenses include CSRF tokens, SameSite cookies, and re-authentication for sensitive actions.

Insecure Direct Object References allow users to read or modify resources by changing identifiers in URLs or requests. A URL like /invoices/1042 may show invoice 1042 to anyone, regardless of ownership. The fix is server-side authorization checks on every access.

Server-Side Request Forgery convinces the server to fetch a URL chosen by the attacker. On cloud platforms, hitting the instance metadata endpoint can leak temporary credentials that grant access to other services.

File upload vulnerabilities arise when an application accepts and stores user files without validation. Attackers may upload malicious executables, oversize files to exhaust disk, or files with crafted names that escape directories.

Open redirect vulnerabilities turn your domain into a phishing launchpad. An attacker sends a link to your trusted site that quietly redirects victims to a malicious one. Always validate redirect targets against an allow list.

The 2017 Equifax breach exposed personal data of nearly 150 million people. The root cause was an unpatched vulnerability in Apache Struts, a server-side framework. A timely patch would have stopped the attack outright.

The British Airways breach of 2018 saw attackers inject 22 lines of malicious JavaScript into a third-party script used on payment pages, skimming card details from hundreds of thousands of customers. It resulted in a record GDPR fine. The class of attack, known as Magecart, continues to target e-commerce sites globally.

Authorization failures regularly headline breach reports. In 2021, researchers showed how a misconfigured Microsoft Power Apps portal exposed 38 million records across major organizations. The defect was not exotic; it was a default access setting that exposed data lists to anonymous users.

GitHub leaks of secrets and API keys feed an underground economy. Tools like TruffleHog and gitleaks help defenders catch them before attackers do, but every week new breaches emerge from credentials checked into public repositories.

Build security in from the start. Threat model new features by asking what could go wrong, who might attack it, and what data is at risk. The earlier security questions are asked, the cheaper they are to answer.

Use a modern framework that handles common dangers by default. React, Angular, and Vue escape HTML by default to prevent XSS. ORMs like Prisma, SQLAlchemy, and Hibernate use parameterized queries. Authentication libraries handle hashing, session management, and MFA. Reinventing these wheels is a recipe for vulnerabilities.

Apply the principle of least privilege to users, services, and databases. Each component should have only the permissions it needs. Database accounts used by your application should not be database administrators.

Validate inputs on the server. Client-side validation is a usability feature, never a security control. Assume any request, including those from your own front end, is hostile.

Encode outputs based on context. Data going into HTML, attributes, JavaScript, URLs, or CSS each require different encoding. Templating engines that auto-escape help, but be wary of constructs that bypass auto-escaping.

Add the security headers. Strict-Transport-Security forces HTTPS. Content-Security-Policy controls where scripts and other resources may load from. X-Frame-Options or frame-ancestors prevent clickjacking. Cookie attributes like HttpOnly, Secure, and SameSite limit session theft.

Manage secrets carefully. Never commit credentials to source control. Use a secret manager such as AWS Secrets Manager, HashiCorp Vault, or Doppler. Rotate secrets regularly and revoke them promptly when exposed.

Patch quickly. Subscribe to vendor advisories, automate dependency upgrades where possible, and track end-of-life software. A known CVE in a public service is a countdown timer.

Log and monitor. Capture authentication events, authorization failures, sensitive operations, and unusual traffic patterns. Feed logs to a SIEM, set up alerts, and run regular reviews.

Finally, test continuously. Static analysis (SAST), dynamic analysis (DAST), interactive testing (IAST), software composition analysis (SCA), and penetration tests all play roles. Coupled with bug bounty programs, they keep your defenses honest.