Web Security: Attacks and Defenses Implementation Guide
Learn about common web application vulnerabilities like SQLi, XSS, and CSRF, including demonstration cases and effective defense implementation strategies.
Web Security: Web Attacks and Defences
Project 4 – Implementation Presentation | TCS iON
Aryan Kumar Singh | Amity University Online
Introduction & Objective
Objective of This Project
<li>Understand common web application vulnerabilities</li><li>Demonstrate real-world web attacks</li><li>Analyze the impact of insecure apps</li><li>Implement security controls and defences</li>
Importance of Web Security
<li>Web applications are publicly accessible</li><li>Small coding mistakes lead to exploitation</li><li>Secure apps protect user data and trust</li>
Vulnerable Web Application Setup
Environment Used
<li>Damn Vulnerable Web Application (DVWA)</li><li>Local web server (PHP & MySQL)</li><li>Tools: Browser & Burp Suite Community</li>
Purpose
<li>Safely practice real attacks</li><li>Understand vulnerability mechanics</li><li>Learn remediation techniques</li>
Overview of Web Attacks Demonstrated
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Primary Target Areas
Login Forms • User Input Fields • Session Handlers
Web Attacks Covered
<li>SQL Injection (SQLi)</li><li>Cross-Site Scripting (XSS)</li><li>Cross-Site Request Forgery (CSRF)</li>
Primary Target Areas
<li>Login Forms & Authentication Handling</li><li>User Input Fields & Search Boxes</li><li>Session Tokens & Request Headers</li>
SQL Injection (SQLi)
What is it?
Injection of malicious SQL queries via input fields, exploiting improper validation to manipulate the database.
Demonstration
• Injected code into login field<br>• Bypassed authentication mechanism<br>• Gained unauthorized admin access
Critical Impact
Data Leakage | Unauthorized Login | Database Manipulation
SQL Injection Prevention
Security Measures Implemented
Strong Input Validation
Prepared Statements
Parameterized Queries
Result: SQL Injection attacks effectively blocked; database queries executed safely without interpreting user input as code.
Cross-Site Scripting (XSS)
Mechanism
Injecting malicious JavaScript into web pages which is then executed in the victim’s browser.
Demonstration
• Malicious script injected into input field<br>• Script auto-executed on page load
Potential Impact
Session Hijacking, Data Theft, Unauthorized Redirection.
XSS Mitigation Techniques
Defensive Controls
Input Sanitization
Cleaning user input to remove potentially executable code.
Output Encoding
Converting special characters into HTML entities to prevent execution.
Content Security Policy (CSP)
Restricting where scripts can be loaded and executed from.
Result: Scripts no longer execute; user input is displayed as safe text.
Cross-Site Request Forgery (CSRF)
<h3 style='color:#f1fa8c; margin-bottom:10px;'>What is CSRF?</h3><p>An attack that forces an authenticated user to perform unwanted actions without their knowledge.</p><br><h3 style='color:#f1fa8c; margin-bottom:10px;'>Attack Demonstration</h3><p>• Constructed a malicious link/request<br>• Victim clicked, executing an action (e.g., password change) without consent</p><br><h3 style='color:#f1fa8c; margin-bottom:10px;'>Impact</h3><p>Unauthorized transactions, account manipulation, data modification.</p>
CSRF Defense Implementation
CSRF Tokens
Unique, secret tokens generated for each session to verify request origin.
Session Validation
Ensuring the user is authenticated and the session is active for sensitive actions.
SameSite Cookies
Restricting cookies to first-party context to prevent external triggering.
Result: Unauthorized external requests are blocked; only valid tokens are accepted.
Web Security Best Practices
Strategic Measures
<li><strong>Secure Session Management:</strong> Timeouts, regeneration.</li><li><strong>HTTPS Enforcement:</strong> Encrypt data in transit.</li><li><strong>Regular Testing:</strong> Periodic vulnerability scans.</li><li><strong>Least Privilege:</strong> Minimum necessary access rights.</li>
Benefit
Significantly reduced attack surface and improved overall application resilience.
Conclusion & Key Findings
Critical Vulnerability
Web applications are highly vulnerable to manipulation if input validation is missing.
Input Handling
Strict input handling is the first line of defense against SQLi and XSS.
Effectiveness
Properly implemented defenses (Tokens, CSP, Prep Statements) effectively neutralize attacks.
Conclusion: Understanding attacks and implementing defense mechanisms is essential for building secure web applications.
Reflection
This project helped me understand how real-world web attacks work and how insecure coding practices can lead to serious vulnerabilities. Performing attacks in a controlled environment gave me practical insight into attacker techniques.
The biggest challenge was understanding how small input validation mistakes can compromise entire applications. Implementing defenses helped me clearly see how security controls prevent attacks.
This assignment improved my confidence in web security testing and secure coding practices, which are essential skills for cybersecurity professionals.
- web-security
- cybersecurity
- sql-injection
- cross-site-scripting
- csrf-defense
- vulnerability-assessment
- secure-coding