# Web Basics Security Summer School --- ## Motivation - Wide variety of Web applications - Complexity of the Web applications - Ubiquitous --- ## Web - Web vs Internet - Popularity - Attack surface --- ## Stateless HTTP Simple Without session --- ## Stateful FTP Session --- ## Security against Whom ? - Neighbors that sniff your Wi-Fi - Script kiddies that try to bruteforce your website login - Nation state actors that have exploits to undisclosed vulnerabilities in software you use --- ## Why ? - Financial gain - Internet crime - Cyber warfare - Data breaches --- ## Status of Web Application Security - Web application security is not mature field - The entry level to web development is low - New exploits and exploitation methods are frequently published - Security does not directly add revenue. In many cases, it is viewed as an extra cost - Complexity, various sources, public APIs --- ## Good to know - CVE - 0-day Vulnerability - CWE --- ## Static Web Sites fast simple --- ## Dynamic Web Sites customizable complex --- ## Roots of Web Application insecurity - Non-validated user input - Programmers mistakes --- ## Web Application Framework - Collection of pieces of software - Ease of development - Common solutions for wide variety of tasks --- ## Links [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Broken Access Control - Cryptographic Failures - Injection - Insecure Design - Security Misconfiguration --- ## Types of vulnerabilities on web - Browser vulnerabilities - Server vulnerabilities - Web application vulnerabilities --- ## Browser - Software that displays pages and files on the web - Interpret and display HTML Web pages, applications, JavaScript, CSS - Plugins which extend the capabilities