Web Application Security - Comprehensive Guide

This guide covers advanced web application security topics beyond traditional client-side and server-side vulnerabilities, focusing on holistic security aspects critical for modern web applications.

1. Authentication & Session Management

Authentication Security Fundamentals

Authentication vulnerabilities represent critical security flaws that can compromise entire applications. Modern applications face complex authentication challenges beyond simple username/password combinations.

Common Authentication Vulnerabilities

Username Enumeration

• Registration forms revealing existing users
• Different error messages for invalid username vs password
• Response time differences indicating valid accounts
• Password reset functions confirming user existence

Session Management Flaws

• Predictable session tokens
• Session fixation attacks
• Insufficient session expiration
• Cookie manipulation vulnerabilities

Advanced Authentication Attacks

Logic Flaws in Authentication

 
# Parameter Pollution Attack
GET /reset?email=victim@site.com
POST /reset?email=victim@site.com
Content-Type: application/x-www-form-urlencoded
 
username=victim&email=attacker@evil.com

Account Lockout Bypass Techniques

• IP rotation using headers (X-Forwarded-For, X-Real-IP)
• Time-based bypasses with long passwords
• Reset lockout logic exploitation
• Username collision attacks (spaces, case sensitivity)

Session Security Best Practices

Secure Session Implementation

• Use cryptographically secure random session IDs
• Implement proper session timeout (idle and absolute)
• Regenerate session IDs on privilege changes
• Store sessions server-side with minimal client exposure

Cookie Security Attributes

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

• Secure: HTTPS only transmission
• HttpOnly: No JavaScript access
• SameSite: CSRF protection

2. Business Logic Vulnerabilities

Business logic flaws arise when applications fail to properly enforce business rules and workflows. These vulnerabilities are context-specific and require deep understanding of the application.

Common Business Logic Flaws

Price Manipulation

• Negative quantities in shopping carts
• Race conditions in checkout processes
• Coupon stacking vulnerabilities
• Currency manipulation

Workflow Bypass

• Skipping required steps in multi-step processes
• Direct object reference to later stages
• State manipulation in client-side storage

Testing for Business Logic Flaws

1. Map the Application Workflow
   • Document all business processes
   • Identify state transitions
   • Note validation points
2. Test Edge Cases
   • Boundary values (0, negative, maximum)
   • Unexpected data types
   • Missing parameters
   • Out-of-sequence requests
3. Race Condition Testing
   • Simultaneous requests to same endpoint
   • TOCTOU (Time of Check, Time of Use) vulnerabilities
   • Resource exhaustion scenarios

3. API Security

Modern web applications heavily rely on APIs, introducing unique security challenges.

REST API Security

Authentication Methods

• API Keys (least secure)
• OAuth 2.0 flows
• JWT tokens
• Certificate-based authentication

Common API Vulnerabilities

1. Broken Object Level Authorization

   GET /api/users/123/profile
   # Change to:
   GET /api/users/456/profile

2. Mass Assignment

   POST /api/users/update
   {
     "name": "John",
     "email": "john@example.com",
     "role": "admin"  // Unexpected parameter
   }

3. Rate Limiting Bypass

   • Missing rate limits
   • Rate limit reset vulnerabilities
   • Distributed attack possibilities

GraphQL Security Considerations

Introspection Attacks

{
  __schema {
    types {
      name
      fields {
        name
        type {
          name
        }
      }
    }
  }
}

Query Depth Attacks

• Deeply nested queries causing DoS
• Expensive query combinations
• Missing query complexity analysis

4. File Handling Security

File upload and handling vulnerabilities can lead to complete system compromise.

Upload Vulnerability Categories

Client-Side Validation Bypass

• JavaScript filter manipulation
• Browser developer tools modification
• Direct API calls bypassing UI

Server-Side Filter Bypass Techniques

1. Extension Manipulation

   shell.php → shell.php.jpg
   shell.php → shell.PHP (case sensitivity)
   shell.php → shell.php%00.jpg (null byte)
   shell.php → shell.phtml (alternative extensions)

2. Content-Type Manipulation

   Content-Type: image/jpeg
   # Change to:
   Content-Type: application/x-php

3. Magic Number Spoofing

   # Add PNG magic bytes to PHP file
   echo -e '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A' > shell.php
   cat malicious.php >> shell.php

Secure File Handling Implementation

Validation Layers

1. File type validation (whitelist approach)
2. File size limitations
3. Filename sanitization
4. Content scanning (antivirus, pattern matching)
5. Isolated storage location
6. Randomized filenames
7. Access control on file retrieval

5. Access Control & Authorization

Access Control Models

Role-Based Access Control (RBAC)

• Users assigned to roles
• Roles granted permissions
• Hierarchical role structures

Attribute-Based Access Control (ABAC)

• Dynamic permission evaluation
• Context-aware decisions
• Fine-grained control

Common Access Control Vulnerabilities

Insecure Direct Object References (IDOR)

 
# Original request
GET /api/documents/123
 
 
# Attack attempt
GET /api/documents/124

Privilege Escalation Patterns

• Horizontal: Access other users’ data
• Vertical: Gain higher privileges
• Context switching vulnerabilities

Testing Access Controls

1. Map All Endpoints
   • Document required permissions
   • Identify state-changing operations
   • Note sensitive data access points
2. Test with Different User Contexts
   • Unauthenticated requests
   • Low-privilege user attempts
   • Cross-tenant access attempts
   • Recently logged-out sessions

6. Web Cache Vulnerabilities

Cache Poisoning Attacks

Basic Cache Poisoning

GET /resource HTTP/1.1
Host: victim.com
X-Forwarded-Host: attacker.com

Cache Key Manipulation

• Unkeyed headers injection
• Query parameter pollution
• Fragment poisoning (#)

Cache Deception Attacks

 
# Attacker sends victim to:
https://example.com/my-account/nonexistent.css
 
# Server treats as:
https://example.com/my-account
 
# CDN caches as static CSS file

Cache Security Headers

Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
Expires: 0
Vary: Cookie, Authorization

7. HTTP Security Headers

Critical Security Headers

Content Security Policy (CSP)

Content-Security-Policy: default-src 'self';
    script-src 'self' 'unsafe-inline' https://trusted.com;
    style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:;

Additional Security Headers

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Strict-Transport-Security: max-age=31536000; includeSubDomains

Header Injection Vulnerabilities

Host Header Injection

• Password reset poisoning
• Web cache poisoning
• Server-side request forgery

Testing Techniques

 
# Duplicate headers
Host: legitimate.com
Host: attacker.com
 
 
# Absolute URL
GET https://legitimate.com/ HTTP/1.1
Host: attacker.com
 
 
# Port injection
Host: legitimate.com:@attacker.com

8. CORS & Cross-Origin Security

CORS Misconfiguration Patterns

Overly Permissive CORS

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Dynamic Origin Reflection

 
# Request
Origin: https://attacker.com
 
 
# Vulnerable Response
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true

CORS Security Testing

1. Test Origin Validation

   curl -H "Origin: https://evil.com" https://target.com/api/data

2. Check Null Origin

   curl -H "Origin: null" https://target.com/api/data

3. Subdomain Takeover Impact

   • Trusted subdomain with CORS
   • Subdomain takeover vulnerability
   • Cross-origin data theft

9. Web Application Testing Methodology

Reconnaissance Phase

1. Technology Stack Identification
   • Server headers analysis
   • JavaScript framework detection
   • CMS identification
   • API endpoint patterns
2. Attack Surface Mapping
   • All input vectors
   • File upload points
   • API endpoints
   • WebSocket connections
   • Hidden parameters

Systematic Testing Approach

Phase 1: Information Gathering

 
# Subdomain enumeration
subfinder -d target.com | httpx -status-code
 
 
# Technology identification
whatweb target.com
wappalyzer
 
 
# Directory/file discovery
ffuf -u https://target.com/FUZZ -w wordlist.txt

Phase 2: Authentication Testing

• Username enumeration
• Password policy analysis
• Account lockout testing
• Session management review
• Multi-factor authentication bypass attempts

Phase 3: Authorization Testing

• Access control matrix development
• Privilege escalation attempts
• IDOR vulnerability scanning
• Business logic flow testing

Phase 4: Input Validation Testing

• SQL injection
• Cross-site scripting
• Template injection
• Header injection
• File upload vulnerabilities

Phase 5: Business Logic Testing

• Workflow manipulation
• Race conditions
• Price/quantity manipulation
• Time-based logic flaws

Phase 6: API Security Testing

• Endpoint enumeration
• Method tampering
• Rate limiting tests
• Data exposure analysis

Testing Tools Arsenal

Essential Tools

• Burp Suite Professional
• OWASP ZAP
• Postman/Insomnia
• ffuf/feroxbuster
• SQLMap
• Nikto
• Nmap

Specialized Tools

• Param Miner (cache poisoning)
• JWT_Tool (JWT manipulation)
• GraphQL Voyager (GraphQL introspection)
• Retire.js (component analysis)

10. Security Testing Checklist

Authentication & Session Management

• Username enumeration
• Weak password policy
• Account lockout bypass
• Session fixation
• Session timeout testing
• Cookie security attributes
• Password reset vulnerabilities
• Multi-factor authentication bypass

Access Control

• IDOR vulnerabilities
• Privilege escalation
• Forced browsing
• Missing function level access control
• Cross-tenant access

Business Logic

• Payment flow manipulation
• Race conditions
• Workflow bypass
• Input limit testing
• State management flaws

API Security

• Broken object level authorization
• Broken authentication
• Excessive data exposure
• Rate limiting
• Mass assignment
• Security misconfiguration

File Handling

• Unrestricted file upload
• Path traversal
• File type validation bypass
• Stored XSS via file upload
• XXE via file parsing

Caching & Headers

• Cache poisoning
• Cache deception
• Missing security headers
• Header injection
• CORS misconfiguration

Best Practices Summary

1. Defense in Depth: Implement multiple layers of security controls
2. Least Privilege: Grant minimum necessary permissions
3. Input Validation: Validate all input on the server side
4. Output Encoding: Encode all output based on context
5. Secure by Default: Make secure options the default choice
6. Regular Updates: Keep all components and dependencies updated
7. Security Testing: Integrate security testing into CI/CD pipeline
8. Monitoring: Implement comprehensive logging and monitoring
9. Incident Response: Have a clear incident response plan
10. Security Training: Regular security awareness for development teams

Related Topics

• SQL Injection Advanced Techniques
• Modern XSS Attack Vectors
• Network-Security-and-Services
• Tools-and-Methodologies

---

This guide represents current web application security best practices. Always verify specific implementation details against current security standards and your application’s unique requirements.