WEB Application Security

Web application security (also known as Web AppSec) is the idea of building
websites to function as expected, even when they are under attack.

The concept involves a collection of security controls engineered into a Web

application to protect its assets from potentially malicious agents.

Web security refers to protecting networks and computer systems from damage to or
the theft of software, hardware, or data.

It also includes protecting computer systems from misdirecting or disrupting the

services they are designed to provide.

Taking proper web application security precautions helps reduce the risk of data
theft, compliance penalties, the cost of security fixes, and a ruined reputation.

High-quality web application security — which can be used to protect websites, web
services and web applications — should have four different layers of security: web
application firewall, access control, bot protection, and login protection.

Application security is the process of developing, adding, and testing security

features within applications to prevent security vulnerabilities against threats such as
unauthorized access and modification.

Authentication and Authorization are utilized in data security, allowing the

safeguarding of an automated data system. Both are very crucial topics often
associated with the internet as key components of its service infrastructure.
However, each term is distinct, representing different concepts. While they are
frequently used in the same context with the same tools, they are entirely distinct
from one another.
What is Authentication?
Authentication is the method of verifying the identity of a consumer or system to
ensure they’re who they claim to be.
It involves checking credentials which include usernames, passwords, or biometric
information like fingerprints or facial recognition.
This step is vital for securing access to systems, programs, and sensitive records.
By confirming identities, authentication saves you from unauthorized entry and
protects you against safety breaches.
What is Authorization?
Authorization is the method of figuring out and granting permissions to a
demonstrated user or system, specifying what assets they can access and what
actions they’re allowed to carry out.
It comes after authentication and guarantees that the authenticated entity has the
proper rights to use certain data, applications, or services.
This step is important for implementing protection guidelines and controlling
access within the system, thereby stopping unauthorized activities.
Difference Between Authentication and Authorization
Authentication Authorization

In the authentication process, the While in authorization process, a the

identity of users are checked for person’s or user’s authorities are
providing the access to the system. checked for accessing the resources.

In the authentication process, users or While in this process, users or persons

persons are verified. are validated.

It is done before the authorization While this process is done after the
process. authentication process.

It needs usually the user’s login While it needs the user’s privilege or
details. security levels.

Authentication determines whether the While it determines What permission

person is user or not. does the user have?

Generally, transmit information Generally, transmit information through

through an ID Token. an Access Token.

The OpenID Connect (OIDC) protocol

The OAuth 2.0 protocol governs the
is an authentication protocol that is
overall system of user authorization
generally in charge of user
process.
authentication process.

Popular Authentication Techniques- Popular Authorization Techniques-

 Password-Based Authentication  Role-Based Access Controls
 Passwordless Authentication (RBAC)
 2FA/MFA (Two-Factor  JSON web token (JWT)
Authentication / Multi-Factor Authorization
Authentication)  SAML Authorization
 Single sign-on (SSO)  OpenID Authorization
 Social authentication  OAuth 2.0 Authorization

The authentication credentials can be The authorization permissions cannot

changed in part as and when required be changed by user as these are
by the user. granted by the owner of the system and
Authentication Authorization

only he/she has the access to change

it.

The user authentication is visible at The user authorization is not visible at

user end. the user end.

The user authentication is identified The user authorization is carried out

with username, password, face through the access rights to resources
recognition, retina scan, fingerprints, by using roles that have been pre-
etc. defined.

Example: Employees in a company Example: After an employee

are required to authenticate through successfully authenticates, the system
the network before accessing their determines what information the
company email. employees are allowed to access.

Conclusion
Authentication verifies the identity of a person or device, at the same time as
authorization determines their access rights and permissions within a device.
Together, they make sure that users aren’t only who they claim to be but also have
the permissions to perform certain actions or access certain sources.

Authentication is the act of validating that users are whom they claim to be. This is
the first step in any security process.

Complete an authentication process with:

 Passwords. Usernames and passwords are the most common authentication

factors. If a user enters the correct data, the system assumes the identity is
valid and grants access.
 One-time pins. Grant access for only one session or transaction.
 Authentication apps. Generate security codes via an outside party that
grants access.
 Biometrics. A user presents a fingerprint or eye scan to gain access to the
system.

In some instances, systems require the successful verification of more than one
factor before granting access. This multi-factor authentication (MFA) requirement is
often deployed to increase security beyond what passwords alone can provide.
What Is Authorization?

Authorization in system security is the process of giving the user permission to

access a specific resource or function. This term is often used interchangeably with
access control or client privilege.

Giving someone permission to download a particular file on a server or providing

individual users with administrative access to an application are good examples of
authorization.

In secure environments, authorization must always follow authentication. Users

should first prove that their identities are genuine before an organization’s
administrators grant them access to the requested resources.

Authentication vs. Authorization

Despite the similar-sounding terms, authentication and authorization are separate

steps in the login process. Understanding the difference between the two is key to
successfully implementing an IAM solution.

Let's use an analogy to outline the differences.

Consider a person walking up to a locked door to provide care to a pet while the
family is away on vacation. That person needs:

 Authentication, in the form of a key. The lock on the door only grants access
to someone with the correct key in much the same way that a system only
grants access to users who have the correct credentials.
 Authorization, in the form of permissions. Once inside, the person has the
authorization to access the kitchen and open the cupboard that holds the pet
food. The person may not have permission to go into the bedroom for a quick
nap.

Authentication and authorization work together in this example. A pet sitter has the
right to enter the house (authentication), and once there, they have access to certain
areas (authorization).

Authentication Authorization
What does it do? Verifies credentials Grants or denies permissions
Through passwords, biometrics, Through settings maintained
How does it work? one-time pins, or apps by security teams
Is it visible to the
user? Yes No
It is changeable by
the user? Partially No
How does data
move? Through ID tokens Through access tokens

Systems implement these concepts in the same way, so it’s crucial that IAM
administrators understand how to utilize both:

 Authentication. Let every staff member access your workplace systems if

they provide the right credentials in response to your chosen authentication
requirements.
 Authorization. Grant permission to department-specific files, and reserve
access to confidential data, such as financial information, as needed. Ensure
that employees have access to the files they need to do their jobs.

Understand the difference between authentication and authorization, and implement

IAM solutions that have strong support for both. You will protect your organization
against data breaches and enable your workforce to be more productive.

Secure Socket Layer (SSL)




Secure Socket Layer (SSL) provides security to the data that is transferred
between web browser and server. SSL encrypts the link between a web server and a
browser which ensures that all data passed between them remain private and free
from attack. In this article, we are going to discuss SSL in detail, its protocols, the
silent features of SSL, and the version of SSL.
What is a Secure Socket Layer?
SSL, or Secure Sockets Layer, is an Internet security protocol that encrypts data to
keep it safe. It was created by Netscape in 1995 to ensure privacy, authentication,
and data integrity in online communications. SSL is the older version of what we now
call TLS (Transport Layer Security).
Websites using SSL/TLS have “HTTPS” in their URL instead of “HTTP.”
How does SSL work?
 Encryption: SSL encrypts data transmitted over the web, ensuring privacy. If
someone intercepts the data, they will see only a jumble of characters that is
nearly impossible to decode.
 Authentication: SSL starts an authentication process called a handshake
between two devices to confirm their identities, making sure both parties are who
they claim to be.
 Data Integrity: SSL digitally signs data to ensure it hasn’t been tampered with,
verifying that the data received is exactly what was sent by the sender.
Why is SSL Important?
Originally, data on the web was transmitted in plaintext, making it easy for anyone
who intercepted the message to read it. For example, if someone logged into their
email account, their username and password would travel across the Internet
unprotected.
SSL was created to solve this problem and protect user privacy. By encrypting data
between a user and a web server, SSL ensures that anyone who intercepts the data
sees only a scrambled mess of characters. This keeps the user’s login credentials
safe, visible only to the email service.
Additionally, SSL helps prevent cyber attacks by:
 Authenticating Web Servers: Ensuring that users are connecting to the
legitimate website, not a fake one set up by attackers.
 Preventing Data Tampering: Acting like a tamper-proof seal, SSL ensures that
the data sent and received hasn’t been altered during transit.
Secure Socket Layer Protocols
 SSL Record Protocol
 Handshake Protocol
 Change-Cipher Spec Protocol
 Alert Protocol

SSL Record Protocol

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment
is compressed and then encrypted MAC (Message Authentication Code) generated
by algorithms like SHA (Secure Hash Protocol) and MD5 (Message Digest) is
appended. After that encryption of the data is done and in last SSL header is
appended to the data.

Handshake Protocol
Handshake Protocol is used to establish sessions. This protocol allows the client and
server to authenticate each other by sending a series of messages to each other.
Handshake protocol uses four phases to complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In
this IP session, cipher suite and protocol version are exchanged for security
purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The server end
phase-2 by sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his certificate and
Client-exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake
Protocol ends.

Change-Cipher Protocol
This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state. After the handshake
protocol, the Pending state is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and
can have only one value. This protocol’s purpose is to cause the pending state to be
copied into the current state.
Alert Protocol
This protocol is used to convey SSL-related alerts to the peer entity. Each message
in this protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1)
This Alert has no impact on the connection between sender and receiver. Some of
them are:
 Bad Certificate: When the received certificate is corrupt.
 No Certificate: When an appropriate certificate is not available.
 Certificate Expired: When a certificate has expired.
 Certificate Unknown: When some other unspecified issue arose in processing
the certificate, rendering it unacceptable.
 Close Notify: It notifies that the sender will no longer send any messages in the
connection.
 Unsupported Certificate: The type of certificate received is not supported.
 Certificate Revoked: The certificate received is in revocation list.
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection will
be stopped, cannot be resumed but can be restarted. Some of them are :
 Handshake Failure: When the sender is unable to negotiate an acceptable set
of security parameters given the options available.
 Decompression Failure: When the decompression function receives improper
input.
 Illegal Parameters: When a field is out of range or inconsistent with other fields.
 Bad Record MAC: When an incorrect MAC was received.
 Unexpected Message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.
Salient Features of Secure Socket Layer
 The advantage of this approach is that the service can be tailored to the specific
needs of the given application.
 Secure Socket Layer was originated by Netscape.
 SSL is designed to make use of TCP to provide reliable end-to-end secure
service.
 This is a two-layered protocol.
Versions of SSL
SSL 1 – Never released due to high insecurity
SSL 2 – Released in 1995
SSL 3 – Released in 1996
TLS 1.0 – Released in 1999
TLS 1.1 – Released in 2006
TLS 1.2 – Released in 2008
TLS 1.3 – Released in 2018
SSL Certificate
SSL (Secure Sockets Layer) certificate is a digital certificate used to secure and
verify the identity of a website or an online service. The certificate is issued by a
trusted third-party called a Certificate Authority (CA), who verifies the identity of the
website or service before issuing the certificate.
The SSL certificate has several important characteristics that make it a reliable
solution for securing online transactions:
 Encryption: The SSL certificate uses encryption algorithms to secure the
communication between the website or service and its users. This ensures that
the sensitive information, such as login credentials and credit card information, is
protected from being intercepted and read by unauthorized parties.
 Authentication: The SSL certificate verifies the identity of the website or service,
ensuring that users are communicating with the intended party and not with an
impostor. This provides assurance to users that their information is being
transmitted to a trusted entity.
 Integrity: The SSL certificate uses message authentication codes (MACs) to
detect any tampering with the data during transmission. This ensures that the
data being transmitted is not modified in any way, preserving its integrity.
 Non-repudiation: SSL certificates provide non-repudiation of data, meaning that
the recipient of the data cannot deny having received it. This is important in
situations where the authenticity of the information needs to be established, such
as in e-commerce transactions.
 Public-key cryptography: SSL certificates use public-key cryptography for
secure key exchange between the client and server. This allows the client and
server to securely exchange encryption keys, ensuring that the encrypted
information can only be decrypted by the intended recipient.
 Session management: SSL certificates allow for the management of secure
sessions, allowing for the resumption of secure sessions after interruption. This
helps to reduce the overhead of establishing a new secure connection each time
a user accesses a website or service.
 Certificates issued by trusted CAs: SSL certificates are issued by trusted CAs,
who are responsible for verifying the identity of the website or service before
issuing the certificate. This provides a high level of trust and assurance to users
that the website or service they are communicating with is authentic and
trustworthy.
In addition to these key characteristics, SSL certificates also come in various levels
of validation, including Domain Validation (DV), Organization Validation (OV), and
Extended Validation (EV). The level of validation determines the amount of
information that is verified by the CA before issuing the certificate, with EV
certificates providing the highest level of assurance and trust to users.For more
information about SSL certificates for each Validation level type, please refer
to Namecheap.
Overall, the SSL certificate is an important component of online security, providing
encryption, authentication, integrity, non-repudiation, and other key features that
ensure the secure and reliable transmission of sensitive information over the
internet.
What Are The Types of SSL Certificates?
There are different types of SSL certificates, each suited for different needs:
 Single-Domain SSL Certificate: This type covers only one specific domain. A
domain is the name of a website, like www.geeksforgeeks.org. For instance, if
you have a single-domain SSL certificate for www.geeksforgeeks.org, it won’t
cover any other domains or subdomains.
 Wildcard SSL Certificate: Similar to a single-domain certificate, but it also
covers all subdomains of a single domain. For example, if you have a wildcard
certificate for *.geeksforgeeks.org, it would cover www.geeksforgeeks.org,
blog.www.geeksforgeeks.org, and any other subdomain under example.com.
 Multi-Domain SSL Certificate: This type can secure multiple unrelated domains
within a single certificate.
These certificates vary in scope and flexibility, allowing website owners to choose
the appropriate level of security coverage based on their needs.
SSL certificates have different validation levels, which determine how thoroughly a
business or organization is vetted:
 Domain Validation (DV): This is the simplest and least expensive level. To get a
DV certificate, a business just needs to prove it owns the domain (like
www.geeksforgeeks.org).
 Organization Validation (OV): This involves a more hands-on verification
process. The Certificate Authority (CA) directly contacts the organization to
confirm its identity before issuing the certificate. OV certificates provide more
assurance to users about the legitimacy of the organization.
 Extended Validation (EV): This is the most rigorous level of validation. It
requires a comprehensive background check of the organization to ensure it’s
legitimate and trustworthy. EV certificates are recognized by the green address
bar in web browsers, indicating the highest level of security and trustworthiness.
These validation levels help users understand the level of security and trust they can
expect when visiting websites secured with SSL certificates.
Are SSL and TLS the Same thing?
SSL is the direct predecessor of TLS (Transport Layer Security). In 1999,
the Internet Engineering Task Force (IETF) proposed an update to SSL. Since this
update was developed by the IETF without Netscape’s involvement, the name was
changed to TLS. The changes between the last version of SSL (3.0) and the first
version of TLS were not significant; the name change mainly signified new
ownership.
Because SSL and TLS are so similar, people often use the terms interchangeably.
Some still call it SSL, while others use “SSL/TLS encryption” since SSL is still widely
recognized.
Is SSL Still up to Date?
SSL (Secure Sockets Layer) hasn’t been updated since SSL 3.0 back in 1996 and is
now considered outdated. It has known vulnerabilities, so security experts advise
against using it. Most modern web browsers no longer support SSL.
TLS (Transport Layer Security) is the current encryption protocol used online.
Despite this, many still refer to it as “SSL encryption,” causing confusion when
people look for security solutions. Nowadays, any vendor offering “SSL” is likely
providing TLS protection, which has been the standard for over 20 years. The term
“SSL protection” is still used widely on product pages because many users still
search for it.
Conclusion
SSL (Secure Sockets Layer) is a crucial Internet security protocol that encrypts data
to ensure privacy, authentication, and data integrity during online communications.
Although it has been succeeded by TLS (Transport Layer Security), SSL remains
widely recognized and foundational in establishing secure connections between
users and web servers. Understanding SSL is essential for appreciating the
evolution of internet security and the protection of sensitive information online.

Transport Layer Security (TLS)





Transport Layer Securities (TLS) are designed to provide security at the transport
layer. TLS was derived from a security protocol called Secure Socket Layer (SSL).
TLS ensures that no third party may eavesdrop or tampers with any message.
There are several benefits of TLS:

 Encryption:
TLS/SSL can help to secure transmitted data using encryption.
 Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet Explorer
and on most operating systems and web servers.
 Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism, encryption
algorithms and hashing algorithm that are used during the secure session.
 Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003 operating
systems.
 Ease of Use:
Because we implement TLS/SSL beneath the application layer, most of its
operations are completely invisible to client.

Working of TLS:
The client connect to server (using TCP), the client will be something. The client
sends number of specification:
1. Version of SSL/TLS.
2. which cipher suites, compression method it wants to use.

The server checks what the highest SSL/TLS version is that is supported by them
both, picks a cipher suite from one of the clients option (if it supports one) and
optionally picks a compression method. After this the basic setup is done, the server
provides its certificate. This certificate must be trusted either by the client itself or a
party that the client trusts. Having verified the certificate and being certain this server
really is who he claims to be (and not a man in the middle), a key is exchanged. This
can be a public key, “PreMasterSecret” or simply nothing depending upon cipher
suite.
Both the server and client can now compute the key for symmetric encryption. The
handshake is finished and the two hosts can communicate securely. To close a
connection by finishing. TCP connection both sides will know the connection was
improperly terminated. The connection cannot be compromised by this through,
merely interrupted.
Transport Layer Security (TLS) continues to play a critical role in securing data
transmission over networks, especially on the internet. Let’s delve deeper into its
workings and significance:
Enhanced Security Features:
TLS employs a variety of cryptographic algorithms to provide a secure
communication channel. This includes symmetric encryption algorithms like AES
(Advanced Encryption Standard) and asymmetric algorithms like RSA and Diffie-
Hellman key exchange. Additionally, TLS supports various hash functions for
message integrity, such as SHA-256, ensuring that data remains confidential and
unaltered during transit.
Certificate-Based Authentication:
One of the key components of TLS is its certificate-based authentication mechanism.
When a client connects to a server, the server presents its digital certificate, which
includes its public key and other identifying information. The client verifies the
authenticity of the certificate using trusted root certificates stored locally or provided
by a trusted authority, thereby establishing the server’s identity.
Forward Secrecy:
TLS supports forward secrecy, a crucial security feature that ensures that even if an
attacker compromises the server’s private key in the future, they cannot decrypt past
communications. This is achieved by generating ephemeral session keys for each
session, which are not stored and thus cannot be compromised retroactively.
TLS Handshake Protocol:
The TLS handshake protocol is a crucial phase in establishing a secure connection
between the client and the server. It involves multiple steps, including negotiating the
TLS version, cipher suite, and exchanging cryptographic parameters. The
handshake concludes with the exchange of key material used to derive session keys
for encrypting and decrypting data.
Perfect Forward Secrecy (PFS):
Perfect Forward Secrecy is an advanced feature supported by TLS that ensures the
confidentiality of past sessions even if the long-term secret keys are compromised.
With PFS, each session key is derived independently, providing an additional layer
of security against potential key compromise.
TLS Deployment Best Practices:
To ensure the effectiveness of TLS, it’s essential to follow best practices in its
deployment. This includes regularly updating TLS configurations to support the latest
cryptographic standards and protocols, disabling deprecated algorithms and cipher
suites, and keeping certificates up-to-date with strong key lengths.
Continual Evolution:
TLS standards continue to evolve to address emerging security threats and
vulnerabilities. Ongoing efforts by standards bodies, such as the Internet
Engineering Task Force (IETF), ensure that TLS remains robust and resilient against
evolving attack vectors.
Conclusion:
In an increasingly interconnected world where data privacy and security are
paramount, Transport Layer Security (TLS) serves as a foundational technology for
securing communication over networks. By providing encryption, authentication, and
integrity protection, TLS enables secure data transmission, safeguarding sensitive
information from unauthorized access and tampering. As cyber threats evolve, TLS
will continue to evolve, adapting to new challenges and reinforcing the security
posture of digital communications.

What is Session Management?

Session management is a critical security aspect for web applications that aims to
establish a strong and cryptographically secure link between authenticated users
and their sessions. This ensures that users’ identities and session data are
protected. It helps protect user data, prevent unauthorized access, and mitigate
session-related vulnerabilities such as session hijacking or session fixation attacks.
By properly managing user sessions, web applications can ensure the confidentiality,
accessibility, and accuracy of user interactions, enhancing overall security posture.

Introduction to Session Management

Session management is the process of maintaining and controlling user sessions in
a web application or system. It involves managing the interaction between a user
and the system during a specific period. It involves assigning a unique session
identifier to each user, which is stored on the server side and used to retrieve
relevant session data. It ensures that users remain authenticated throughout
browsing and enables personalized experiences. This facilitates session state
maintenance, timeout management, and secure logout handling, ensuring seamless,
secure experiences.
Key Components of Session Management
Below are the key components of session management:

 Session Creation: When a user initiates a session by accessing a web

application, a unique session ID is generated for that user. This ID identifies and
associates the user’s interactions with the session.
 Session Tracking: The server keeps track of active sessions by associating
each session ID with relevant user data. This data can be stored in server-side
storage, such as a database or memory cache.
 Session Timeout: Sessions have a predefined timeout period to ensure that
inactive sessions are automatically terminated. When a session runs out, the
user must log in again to establish a new session.
 Session Termination: Users can manually terminate their sessions by logging
out of the application. When a session is terminated, all associated session data
is cleared, and the session ID becomes invalid.
 Session Security: Session management systems use security measures to
protect against session hijacking or fixation attacks and unauthorized access.
Types of Session Management
There are two main types of session management:
Client-side Session Management: In this type, the session data is stored and
managed on the client side, typically within a cookie or using browser storage
mechanisms such as local or session storage. The session data may be encrypted
or encoded to maintain security. The server relies on the client to send the session
data with each request, and the server validates and processes it accordingly.
Server-side Session Management: In this type, the session data is stored and
managed on the server. The server generates a distinct session ID for each user and
maintains the associated session data. The session ID is typically stored as a cookie
on the client side and sent with each request. The server retrieves the session data
based on the session ID and uses it to maintain user state and perform
authentication and authorization checks.
How can InfosecTrain Help?
You may enroll in InfosecTrain‘s Web Application Penetration Testing online training
course to gain in-depth knowledge about session management and its associated
security considerations. The course will provide comprehensive insights into session
management techniques, vulnerabilities, and exploitation methods for securing
sessions. During this training, we will provide you with hands-on labs and real-world
scenarios to simulate the testing and exploitation of session management
vulnerabilities. This hands-on experience will help you develop the skills and
techniques to identify, exploit, and remediate session-related security issues in web
applications. You will also learn how to implement effective security measures to
safeguard user sessions.
Session Management is crucial to ensure that user interactions with web
applications are conducted in a secure manner. When a user logs into a system, a
session is created that maintains their state and tracks their interactions. This
session needs to be unique, secure, and timed correctly to reduce the chances of
interception or hijacking by malicious actors.

Good session management will involve generating a unique session identifier

(session ID) for each user session, transmitting it securely, and ensuring that the
session ID cannot be guessed or reused by an attacker. Insecure session identifiers
are a prime target to attackers, who will seek to exploit them in order to compromise
a user account.

Session management should also control the lifespan of the session, enforcing
session timeouts and ensuring proper user logout to limit the window of opportunity
for any potential misuse. The session ID should not disclose any sensitive
information and should be protected during transit (e.g., by using secure cookies with
the HttpOnly and Secure flags set).

For session management to be effective, all session tokens need to be stored

securely on the server and protected against common threats like session hijacking,
session fixation, and cross-site request forgery (CSRF). Implementing features such
as re-authentication for sensitive actions within a session, automatic timeouts, and
transparent user logout helps maintain secure session management protocols.

What is session management in web applications?

Session management is a core component in web application security. It directly

deals with maintaining the state and identity of user accounts across multiple
requests from hundreds of users, the web server does this concurrently. As HTTP is
a stateless protocol, session management techniques are employed to identify and
remember users’ actions and settings across different pages. The process of session
management involves creating, maintaining and destroying sessions

Which session management techniques can reduce security attacks?

There are many techniques web application developers use in order to reduce the
effectiveness of security attacks. It is imperative to upkeep good session
management practices when developing a web application. Below are some
effective techniques to ensure session management is secure and robust.
 Usage of Secure Session Identifiers: All tokens issued by the web
application should be generated using a secure, cryptographic random
generator to prevent the tokens being guessed by a would be attacker.
 Implement HTTPS: Interactions between the client and server should be
secured using HTTPS. This will mitigate the chances of the tokens being
intercepted during transit.
 Usage of Cookie Attributes: Tokens issued by the application should be
properly configured with the ‘HttpOnly’ and ‘Secure’ cookie attributes. These
flags secure the cookies from being accessible via client-side scripts (Such as
JavaScript), or transmitted over an insecure connection. It is also advisable to
use the ‘SameSite’ attribute where appropriate.
 Session Lifecycle: Tokens should have effective timeouts and expirations
policies. This includes both absolute timeouts (E.g. a definitive expiration
since login) and inactivity timeouts (E.g. an inactivity timeout, such as 30
minutes of the user making no requests to the server)
 Refresh Session Identifiers: In the event of a change of privilege to a user
account, or logout . The session identifier should be refreshed.
 Validated Sessions on every request: Each request should be checked to
ensure that is contains a valid session identifier, this is especially important on
requests which modify or access any user data.
 Securely Store Session Data: If session data is stored server-side, ensure
this is protected from unauthorised access or tampering.
 Limit Session Data Exposure: The amount of sensitive data store in the
session should be limited. If possible, keep critical data server-side and only
send identifiers or tokens client-side.
 Implement Logout Functionality: Users should always be provided with the
ability to logout and terminuate a session. The logout function should
terminate the session both client/server-side.
 Monitoring & Logging: Sessions should be monitored in real-time,
anomalies or potential breaches should be investigated.
Further guidance and security advice can be found on the Session Management
Cheat Sheet provided by OWASP.

Key Characteristics:

 Generation of a unique session ID for each session

 Secure transmission of session IDs
 Handling of session lifecycle (including creation, maintenance, and
termination)
 Defense against session-related attacks (e.g., hijacking, fixation)
 Secure storage of session tokens
Examples:

 Real-World Example: Many online banking services use advanced session

management techniques. After a user logs in, their session ID is monitored for
signs of anomalous behaviour that may indicate a hijacking attempt. The
session will automatically expire after a period of inactivity, requiring the user
to reauthenticate.
 Hypothetical Scenario: A user logs into a shopping website, and their
session ID is transmitted over HTTPS to prevent eavesdroppers from
capturing it. The session ID is stored in a secure, HttpOnly cookie, which
mitigates the risk of cross-site scripting (XSS) attacks compromising the
session.
Related Terms:

 Session Cookie: A piece of data sent from a website and stored on the
user’s computer by the user’s web browser while the user is browsing.
Cookies can be used to manage sessions.
 Cross-Site Request Forgery (CSRF): An attack that forces an end user to
execute unwanted actions on a web application in which they’re currently
authenticated, often involving the misuse of session tokens.
 HTTPS: A protocol for secure communication over a computer network which
is widely used on the Internet. It encrypts the session data during
transmission.
 Cross-Site Scripting (XSS): A type of security vulnerability typically found in
web applications that allows attackers to inject client-side scripts into web
pages viewed by other users, potentially compromising session tokens if not
properly managed.
 Session Token: A unique piece of data, often a random string. The token is
usually generated by a web-server and sent over to the user’s device.
 Session Hijacking: A type of session attack in which an attacker takes
control of a user’s session.
 https://sencode.co.uk/glossary/session-management/

Input Validation

Input validation is the process of verifying the integrity of data that is received by an
application or system. This includes checking that the data is in the correct format,
within the expected range of values, and free from any malicious code or characters.

Cyberattacks are dangerous attacks that take place on the computer systems of
individuals/ organizations by unauthorized individuals known as cyber attackers or
hackers. Cyberattackers aim to take advantage of computer system vulnerabilities to
get into the computer network and access the secured user/ organization data.
Cyberattacks are very important to be detected at the early stage so that preventive
steps are taken. Knowledge and awareness of cyber crimes help in mitigating the
cyberattack efficiently.
Input Validation Attack:
 Input Validation Attack is a dangerous cybersecurity attack.
 The unsafe data that is entered as a part of this attack is malicious enough to
cause greater harm to the system’s vulnerability.
 They manually entered the suspicious data, and broke the secure system
environment created as a part of the connection.
Mechanism of Input Validation Attack:
The mechanism of the Input Validation Attack is governed by the fact, that harmful
inputs are injected into the computer systems where validated input is required.
Unknowingly web applications can also contribute to input validation attacks however
most commonly, there is manual feeding of data to hamper the system performance.
Types of Input Validation Attack:
There are 4 different types of Input Validation Attacks. They are listed as follows :
1. Buffer Overflow Input Validation: Buffer Overflow is a type of Input Validation
Attack that makes the computer system unresponsive by overloading it with a huge
chunk of information. The huge chunks result in successive memory consumption
and occupy a great part of computer memory.
2. Canonical Ideation Input Validation Attack: Canonical Ideation is a type of
Input Validation Attack is caused as a result of changing the file path that had secure
access to secure information. Thereby making the secure and sensitive information
accessible to unauthorized users to view, make changes, and even steal private
sensitive information as and when required.
3. XSS Attack: XSS Attacks are cross-site scripting attacks where a suspicious link
is placed alongside the valid legitimate URLs. The user is unable to detect or
distinguish between the legitimate and malicious user link and unknowingly becomes
a victim of the XSS Input Validation attack.
4. SQL Injection Attack: SQL Injection is another type of Input Validation Attack,
involving the phenomenon where the public URL is tampered with by the injection of
SQL code in the Public URL. The hacker injects the code with the purpose to allow
actions such as copying of confidential user data, manipulating sensitive information,
and purposely deleting significant important information.
Prevention from Input Validation Attacks:
Input Validation Attacks can be prevented by the following:
 Monitoring the input length and having a maximum limit set for input.
 Make use of filters to validate inputs that are given to the computer systems as
input.
 Specify the data type that is allowed for the fields, thereby restricting unwanted
data to be entered as input.