Online applications hold sensitive data that is valuable, and hackers strive to identify weaknesses and exploit them in order to steal data, pose as users, or disrupt the application. Web applications are increasingly exposed to dangers and attack vectors that are more advanced. Additionally, theft of private information—such as user credentials or billing information for credit cards—occurs frequently. Attackers initially concentrated on obtaining personal information that was accidentally exposed through poorly built or poorly protected web apps. Insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, etc. are some of the most prominent web application vulnerabilities that will be covered in this chapter. The authors are using countermeasures including fuzz testing, source code review, and encoding approaches to get around these vulnerabilities. As a result, this chapter offers information on the various attacks that website visitors who use web applications encounter.
Top1. Introduction
The evolution of Internet and Web technologies, combined with rapidly increasing Internet connectivity, defines the new business landscape. A key element of internet commerce is web apps. Everyone connected to the Internet utilises a plethora of web apps for a wide range of activities, such as social networking, online shopping, email, and chats. Web applications are now becoming exposed to more complex threats and attack methods. Hackers may misuse private information, which not only violates users' privacy but also opens the door to user impersonation. This module will familiarize you with various web applications, web attack vectors, and how to protect an organization's information resources from them. It describes the general web application [1] hacking methodology that most attackers use to exploit a target system. Ethical hackers can use this methodology to assess their organization's security against web application attacks. Thus, this module also presents several tools that are helpful at different stages of web application security assessment. This chapter includes several web application security tools to prevent the web from attacks that are familiar nowadays and also provides a brief knowledge about the attack and their countermeasures.
1.1 Evolution of the Web
The World Wide Web is a network of free websites that can be viewed online. It is sometimes referred to as the Web, the WWW, or just the Web. The Web is not the same as the Internet; it is one of several applications developed on top of the Internet. The evolution of the Web may be understood by dividing it into three waves: (1) read-only, (2) read/write Web, and (3) programmable Web. These waves aren't always separated by time, but rather by the introduction of new functions; as a result, they might overlap and coexist at times.
The phrase “Web 1.0” [1] refers to the initial iteration of the Web (read-only Web), which includes programs that can provide information in one direction but have limited communication and user interaction capabilities. Applications that fall under this first wave include search engines and e-commerce platforms because they make it possible to perform transactions involving both physical objects and digital data. The first generation of the web was a time of static sites and solely content delivery. The earlier web made it possible to read and search for information in another universe. There was hardly any user input or original stuff. The term “Web 2.0” [2] refers to the read/write Web's second wave, which places a strong emphasis on participation, teamwork, and co-creation as means of fostering community connection. Illustrations of this current wave include social networking platforms, blogs, and other platforms. Interactive, collaborative, and distributed behaviors—key components of Web 2.0—allow for the online conduct of both formal and informal daily activities. Anyone can create a new application or service utilizing the infrastructure that the web provides thanks to a feature known as Web 3.0 [2], the 3rd wave of the Web (programmable Web). The emergence of cloud computing, which enables the Web to serve as a platform for an ecosystem of people, apps, services, and even things (the Internet of Things—IoT), is what is driving this wave. The fundamental idea of 3.0 [3] is to create data structures and link them together to improve application discovery, automation, integration, and reuse.
1.2 Web 1.0, Web 2.0, and Web 3.0 Distinctions
The primary distinction between Web 1.0, Web 2.0, and Web 3.0 is that the former is thought of as a read-only website that emphasizes the creators' originality in their material. Web 3.0 focuses on connected huge datasets, whereas Web 2.0 emphasizes user and producer content creativity. Following is a list of the minor difference.
Figure 2.
Web 1.0 vs. Web 2.0 vs. Web 3.0