OWASP

What is Web Application Security?

Photo by Carlos Muza on Unsplash

Since the commencement of existence, every element was needed to be protected or secured for peace. There is no exception in the aspects that are required to be secured, which includes human beings as well. Human beings face danger and fall victim to crimes in many ways. One of which is cyber crime. In day to day life, we’re all depending on the internet and the applications we use on the internet. These apps can be used to cause harm by any means to its user. Moving forward, a web application is simply an application that is primarily used on a browser to perform a task over the internet, depending on the user’s needs. These applications are created using various techniques and languages with the hope of making it efficient for users to perform a specific task. As we know, every coin has two sides, so does the internet. The internet is home to excellent knowledge and, simultaneously, home to different crimes, often referred to as “cyber crime.” These web applications can be used for cyber crime activities. It could be any activity like stealing money from someone, stealing their identity, corrupting or destroying a computer system, stealing some sensitive data, and so much more. Therefore, it is necessary to secure ourselves from such crimes and prevent them from harming us.

The first thing that pops up in our mind is, “What does web app security/Pentesting mean?”.

Since we all know that nothing in existence is perfect, neither is a computer system nor everything inside it. Web app security refers to the amount of protection or the total layers of protection applied on a web application. Web Application Pentesting means performing various methods or techniques on an application to draw out or highlight its vulnerability or several vulnerabilities to patch those weaknesses up to make that application secure and efficient. Penetration testing (often referred to as “Pentesting”) is a technique of testing various nodes present on the internet to find out the flaws and strengthen them up.
Now we all know what it is. The next thing that we think of is, “Why is Web Application Pentesting necessary/needed?”

Well, the entire existence is flawed regardless of what it is. These flaws can sometimes lead up to something serious, which ends up in human beings’ suffering. The suffering could be either emotional or physical. So, the web applications are no exceptions. The thing that differs from every other flawed entity is that these flaws can be removed and strengthened up. These flaws are necessary to be sealed up because they can be used in a number of ways to harm a user, either virtually or physically. Let’s take up a few instances of how and what various harms can an attacker cause a user using these flaws/vulnerabilities/weaknesses.
Many tools exist that can be used to analyze and a system’s security and find out vulnerabilities that can be used as a path to intrude into a plan to cause destruction. Such tools can be used to secure a network and, at the same time, create a severe threat. These include a vast number of tools like “Metasploit” which is one of the most influential and notorious tools that can be used to withdraw out the flaws and use them as an exploit in a system. Metasploit has over 2000 catalogued vulnerabilities, and even if any 1 of those vulnerabilities is present in a system, then that system is as good as a destroyed one. “John the Ripper” is another tool that is considered one of the fastest password cracking tools and can be used to decrypt your Wi-Fi password, system password, password-protected files, encrypted files, etc. more without much effort. Another one of the most powerful tools is “Maltego,” which can be used for open-source intelligence and digital forensics. An attacker can use this tool to recover all the sensitive data that you’ve deleted or hidden that you didn’t want anyone to get hands-on. An attacker can trace the bits of evidence of that file’s existence and can reach its current location and cause you to harm using those files. There are many more tools that an attacker can use to attack you or the ones close to you in many ways like phishing scams where an attacker can lure you towards using a website or an application that might seem genuine but is not and is used to obtain sensitive information, identity theft scams where an attacker can perform a criminal act and impersonate you while doing that, online harassment where an attacker can harass or harm someone emotionally which might end up in a case of suicide, and so much more threats like these.

February 18, 2023 by Application Security 0

HTTP Status Codes For Burp Suite Testing

Photo by Vlad Rosh on Unsplash

I’ll preface the testing first by mentioning that it’s important to have familiarity with the HTTP status codes to help us better understand how the server is handling our attack packets. Below is a subset of HTTP status codes from OWASP that can be used as a point of reference:

Status codeMessageDescription
200OKResponse to a successful REST API action. The HTTP method can be GET, POST, PUT, PATCH or DELETE.
201CreatedThe request has been fulfilled and resource created. A URL for the created resource is returned in the Location header.
202AcceptedThe request has been accepted for processing, but processing is not yet complete.
400Bad RequestThe request is malformed, such as message body format error.
401UnauthorizedWrong or no authentication ID/password provided.
403ForbiddenUsed when the authentication succeeded, but the authenticated user doesn’t have permission to the request resource.
404Not FoundWhen a non-existent resource is requested.
406UnacceptableThe client presented a content type in the Accept header which is not supported by the server API.
405Method Not AllowedThe error for an unexpected HTTP method. For example, the REST API is expecting HTTP GET, but HTTP PUT is used.
413Payload too largeUses to signal that the request size exceeded the given limit e.g. regarding file uploads.
415Unsupported Media TypeThe requested content type is not supported by the REST service.
429Too Many RequestsUsed when there may be DOS attack detected or the request is rejected due to rate limiting
500Internal Server ErrorAn unexpected condition prevented the server from fulfilling the request. Be aware that the response should not reveal internal information that helps an attacker, e.g. detailed error messages or stack traces.
501Not ImplementedThe REST service does not implement the requested operation yet.
503Service UnavailableThe REST service is temporarily unable to process the request. Used to inform the client it should retry later.
August 29, 2022 by Application Security 0

Recent Comments

No comments to show.