Hello, cyber-enthusiasts! Today, I'm taking a look at the Web Security Essentials room on TryHackMe. As we move away from desktop apps toward Cloud and SaaS models, understanding how to secure web-based applications is no longer optional โ€” it's crucial.

Let's break down the fundamentals of web security, the infrastructure involved, and how to protect it, along with the answers to the room's tasks.

๐Ÿš€ Task 1 & 2: Why the Web?

The shift from desktop apps to web apps means everything is now browser-based. While this brings convenience, it also means attackers have a 24/7 entry point to your data.

Real-World Examples

  • Equifax (2017): Attackers exploited an Apache vulnerability to steal data from 150 million people.
  • Capital One (2019): A misconfigured WAF (Web Application Firewall) allowed access to internal cloud databases.

โ“ Task 2 Questions

Q: Have applications shifted from desktop to web over the past couple of decades?

A: Yea

Q: Who is ultimately responsible for ensuring the security of users' data within a web application?

A: Web App Owner

๐Ÿ–ฅ๏ธ Task 3: Web Infrastructure

Before you can secure a website, you need to understand the Request-Response cycle. When you click a link, your browser sends a Request, and the server sends back a Response (like a webpage).

This process relies on three main components:

  1. Application: The code and logic (PHP, JS, Python).
  2. Web Server: The software processing requests (Apache, Nginx, IIS).
  3. Host Machine: The physical/virtual OS running the server (Linux or Windows).

โ“ Task 3 Questions

Q: What does your web browser send to a server to receive a webpage?

A: Request

Q: What web server is most commonly used to host WordPress websites?

A: Apache

Q: What do we call the OS and environment that runs the web server and application?

A: Host Machine

๐Ÿ›ก๏ธ Task 4: Protecting the Web (Best Practices)

To truly harden a system, you need a Defense-in-Depth strategy:

  • For the Application: Use Input Validation. Example: Never trust user input. If a user puts HTML code into a username field, make sure it's sanitized so it doesn't run as a script (XSS).
  • For the Web Server: Implement a WAF. Example: A WAF can detect and block traffic patterns associated with SQL Injection attacks.
  • For the Host Machine: Apply the principle of Least Privilege. Example: If the web server only needs to read files, don't run it as an Administrator or Root user.

โ“ Task 4 Questions

Q: What is the term for filtering and blocking harmful traffic based on defined rules?

A: Web Application Firewall

Q: What should you use to run services to limit potential damage?

A: Least Privilege

๐Ÿ” Task 5: Understanding Logs

Logs are a security analyst's best friend. They track every interaction, allowing us to reconstruct attack timelines.

  • GET Request: "I want to view this page." (e.g., GET /index.html)
  • POST Request: "I am submitting data." (e.g., POST /login.html - used for credentials).

By analyzing logs, you can spot anomalies, like a single IP address making hundreds of POST requests in one second (a brute-force attempt).

โ“ Task 5 Questions

Q: Which type of Web Application Firewall operates by running on the same system as the application itself?

A: Host-Based

Q: Which common WAF detection technique works by matching incoming requests against known malicious patterns?

A: Signature-Based

๐Ÿ Task 6: Practice Scenario

The room finishes with a hands-on exercise where we apply everything we've learned. We're given a new website, "Secure-A-Site," and we have to go through a checklist to harden all three layers:

  1. Securing the Web App: Apply fixes like validating input and setting secure access controls.
  2. Securing the Web Server: Enable proper logging and configure a WAF.
  3. Securing the Host Machine: Apply hardening principles, patch the OS, and enable an Antivirus.

โ“ Task 6 Questions

Q: What flag did you receive for securing the Web Application?

A: THM{web_app_secured!}

Q: What flag did you receive for securing the Web Server?

A: THM{server_security_expert!}

Q: What flag did you receive for securing the Host Machine?

A: THM{the_final_security_layer!}

๐Ÿ“ Summary

Web security is a continuous process of managing exposure. By understanding the infrastructure and applying layer-by-layer defenses, you can drastically reduce risk.