CS

Webová bezpečnost

Web Security Guide

This comprehensive guide covers web application security, penetration testing methodologies, and defensive security practices based on OWASP standards and real-world security assessments.

OWASP Web Security Testing Guide (WSTG)

The OWASP Web Security Testing Guide provides a comprehensive framework for testing web applications. The methodology is organized into the following main categories:

Information Gathering

  • Purpose: Understand application structure, technologies, and attack surface
  • Techniques:
    • Subdomain enumeration
    • Technology fingerprinting
    • Input discovery
    • API endpoint mapping

Configuration and Deployment Management Testing

  • Server Configuration Issues:
    • Default credentials
    • Debug information disclosure
    • Unnecessary services running
    • Security headers misconfiguration

Identity Management Testing

  • Registration Process:
    • Weak password policies
    • Email verification bypass
    • Account enumeration
  • Credential Recovery:
    • Weak security questions
    • Token predictability
    • Rate limiting bypass

Authentication Testing

  • Login Mechanisms:
    • Brute force protection
    • Session management
    • Multi-factor authentication bypass
  • Common Vulnerabilities:
    • Username enumeration
    • Credential stuffing
    • Authentication bypass

Authorization Testing

  • Access Control Issues:
    • Insecure Direct Object References (IDOR)
    • Privilege escalation
    • Horizontal/vertical access violations
  • Role-Based Access Control:
    • Missing authorization checks
    • Business logic flaws

Session Management Testing

  • Cookie Security:
    • Secure/HttpOnly flags
    • SameSite attributes
    • Domain restrictions
  • Session Handling:
    • Session fixation attacks
    • Session hijacking
    • Concurrent session management

Input Validation Testing

  • Injection Attacks:
    • SQL Injection (SQLi)
    • Cross-Site Scripting (XSS)
    • Command Injection
    • LDAP Injection
  • Input Sanitization:
    • Improper encoding
    • Filter bypass techniques
    • Unicode normalization issues

Error Handling Testing

  • Information Disclosure:
    • Stack traces in production
    • Database error messages
    • Internal path disclosure
  • Error Response Analysis:
    • Verbose error messages
    • Debug information leakage

Cryptography Testing

  • Weak Algorithms:
    • Deprecated encryption methods
    • Insufficient key lengths
    • Predictable random number generation
  • Implementation Flaws:
    • Improper key management
    • Side-channel attacks
    • Padding oracle attacks

Business Logic Testing

  • Logic Flaws:
    • Application flow bypass
    • Parameter manipulation
    • Race conditions
  • Business Rule Violations:
    • Price manipulation
    • Quantity limitations bypass
    • Step skipping in workflows

Client-Side Testing

  • JavaScript Security:
    • DOM-based XSS
    • Client-side validation bypass
    • Sensitive data in client storage
  • UI Manipulation:
    • Hidden field modification
    • Client-side controls bypass

API Testing

  • REST API Security:
    • Authentication mechanisms
    • Authorization checks
    • Input validation
    • Rate limiting
  • GraphQL Security:
    • Query complexity limits
    • Introspection abuse
    • Schema exposure

Cross-Site Request Forgery (CSRF)

CSRF attacks force authenticated users to perform unwanted actions on web applications.

Drupal CSRF Protection

Route-Level Protection:

example:
  path: '/example'
  defaults:
    _controller: '\Drupal\example\Controller\ExampleController::content'
  requirements:
    # Be careful: the value is a string, not a boolean.
    _csrf_token: 'TRUE'

Programmatic Token Generation:

$url = Url::fromRoute('node_test.report', ['node' => $entity->id()]);
// $query may already have other parameters.
$query['token'] = \Drupal::service('csrf_token')->get($url->getInternalPath());
$url->setOption('query', $query);

Token Validation:

// Validate $token from GET parameter.
\Drupal::service('csrf_token')->validate($token, "node/{$entity->id()}/report");

Logout Route Example:

user.logout:
  path: '/user/logout'
  defaults:
    _controller: '\Drupal\user\Controller\UserController::logout'
  requirements:
    _user_is_logged_in: 'TRUE'
    _csrf_token: 'TRUE'
  options:
    _csrf_confirm_form_route: 'user.logout.confirm'

AJAX Token Retrieval: The system.csrftoken route provides /session/token for AJAX requests requiring CSRF tokens.

Common Security Vulnerabilities

SQL Injection

Vulnerable Code:

// DON'T DO THIS
$userId = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $userId";

Secure Code:

// Use prepared statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$userId]);
$user = $stmt->fetch();

Cross-Site Scripting (XSS)

Reflected XSS:

// Vulnerable
echo $_GET['name'];

Secure Output:

// Escape output
echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');

Stored XSS:

  • User input stored in database
  • Displayed without sanitization
  • Affects all users viewing the content

DOM-based XSS:

  • Client-side JavaScript manipulation
  • Occurs in browser’s DOM
  • Server-side filtering may not help

Directory Traversal

Vulnerable Code:

// DON'T DO THIS
$file = $_GET['file'];
include("/var/www/html/" . $file);

Prevention:

// Sanitize input
$file = basename($_GET['file']);
$allowedFiles = ['file1.php', 'file2.php'];
if (!in_array($file, $allowedFiles)) {
    die('Access denied');
}
include("/var/www/html/" . $file);

Security Testing Tools

Web Application Scanners

OWASP ZAP:

  • Intercepting proxy
  • Automated scanner
  • Active/passive scanning
  • API testing capabilities

Burp Suite:

  • Professional web vulnerability scanner
  • Manual testing tools
  • Intruder for customized attacks
  • Repeater for request manipulation

Network Scanners

Nmap:

# Basic scan
nmap -sV -O target.com

# Service version detection
nmap -sV --version-intensity 5 target.com

# Script scanning
nmap -sC target.com

Password Testing

Hydra:

# HTTP POST form brute force
hydra -l admin -P passwords.txt -s 443 target.com https-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

# SSH brute force
hydra -l root -P passwords.txt target.com ssh

Defensive Security Practices

Secure Coding Principles

  1. Defense in Depth: Multiple layers of security
  2. Fail-Safe Defaults: Secure by default configuration
  3. Least Privilege: Minimum required permissions
  4. Input Validation: All input is evil until proven otherwise
  5. Output Encoding: Proper encoding for output contexts

Security Headers

Content Security Policy (CSP):

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"

HTTP Strict Transport Security (HSTS):

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

X-Frame-Options:

Header set X-Frame-Options "SAMEORIGIN"

X-Content-Type-Options:

Header set X-Content-Type-Options "nosniff"

Secure Session Management

Secure Session Configuration:

// php.ini
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Strict"
session.gc_maxlifetime = 3600

Session Security Best Practices:

  • Regenerate session IDs after login
  • Implement session timeouts
  • Store minimal data in sessions
  • Use secure random generators for session IDs

API Security

Authentication Methods:

  • JWT (JSON Web Tokens)
  • OAuth 2.0
  • API Keys
  • Mutual TLS

Rate Limiting:

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
    }
}

Database Security

Parameterized Queries:

// PDO prepared statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ? AND status = ?");
$stmt->execute([$email, $status]);

Least Privilege Database Users:

-- Create limited user for application
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'app_user'@'localhost';

Incident Response

Incident Response Process

  1. Preparation: Establish incident response plan
  2. Identification: Detect security incidents
  3. Containment: Limit damage and prevent spread
  4. Eradication: Remove root cause
  5. Recovery: Restore systems and monitor
  6. Lessons Learned: Document and improve

Log Analysis

Common Log Locations:

  • /var/log/apache2/access.log - Web server access
  • /var/log/auth.log - Authentication attempts
  • /var/log/syslog - System messages
  • Application-specific logs

Log Analysis Tools:

# Search for suspicious patterns
grep "failed password" /var/log/auth.log
grep "POST.*login" /var/log/apache2/access.log

# Monitor in real-time
tail -f /var/log/auth.log

Compliance and Standards

OWASP Top 10

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable Components
  7. Identification and Authentication Failures
  8. Software Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

Security Standards

  • ISO 27001: Information security management
  • NIST Cybersecurity Framework: Risk management
  • PCI DSS: Payment card industry standards
  • GDPR: Data protection regulations

This guide provides a comprehensive foundation for understanding web application security, from vulnerability assessment to defensive implementation and incident response.

← Back to Homepage