InfoSec Notes
Comprehensive overview of web application security, common vulnerabilities, OWASP Top 10, and the security mindset for protecting modern web applications.
What is Web Security?
Web security encompasses all measures taken to protect websites and web applications from cyber threats. As web applications process sensitive data and handle critical business logic, they become prime targets for attackers.
The OWASP Top 10 (2021)
The Open Web Application Security Project (OWASP) maintains the definitive list of critical web security risks:
| Rank | Vulnerability | Description | Impact |
|---|---|---|---|
| A01 | Broken Access Control | Users act outside intended permissions | Data theft, unauthorized actions |
| A02 | Cryptographic Failures | Sensitive data exposure | Data breaches |
| A03 | Injection | SQL, NoSQL, OS command injection | Full system compromise |
| A04 | Insecure Design | Missing security architecture | Fundamental vulnerabilities |
| A05 | Security Misconfiguration | Default configs, open cloud storage | Unauthorized access |
| A06 | Vulnerable Components | Outdated libraries/frameworks | Known exploit execution |
| A07 | Authentication Failures | Broken auth mechanisms | Account takeover |
| A08 | Software/Data Integrity | Untrusted updates, CI/CD issues | Supply chain attacks |
| A09 | Logging/Monitoring Failures | Missing audit trails | Undetected breaches |
| A10 | Server-Side Request Forgery | Server makes requests to unintended URLs | Internal network access |
Web Application Architecture & Attack Surface
HTTP Security Headers
The Security Development Lifecycle
| 1. Requirements | Security requirements, threat modeling |
| 2. Design | Security architecture, data flow diagrams |
| 3. Implementation | Secure coding practices, code review |
| 4. Testing | SAST, DAST, penetration testing |
| 5. Deployment | Hardened configs, security headers |
| 6. Maintenance | Patching, monitoring, incident response |
Common Web Vulnerabilities Quick Reference
# VULNERABLE vs SECURE code examples
# SQL Injection
# VULNERABLE:
query = f"SELECT * FROM users WHERE username = '{user_input}'"
# SECURE:
cursor.execute("SELECT * FROM users WHERE username = %s", (user_input,))
# XSS (Cross-Site Scripting)
# VULNERABLE:
html = f"<div>Welcome, {user_input}</div>"
# SECURE:
from markupsafe import escape
html = f"<div>Welcome, {escape(user_input)}</div>"
# Path Traversal
# VULNERABLE:
filepath = f"/uploads/{user_filename}"
# SECURE:
import os
safe_name = os.path.basename(user_filename)
filepath = os.path.join("/uploads", safe_name)Interview Questions
- What is the OWASP Top 10 and why is it important?
- It's a periodically updated list of the most critical web application security risks based on data from hundreds of organizations. It serves as an awareness document and baseline for web security testing, compliance, and secure development training.
- Explain the concept of defense in depth for web applications.
- Multiple security layers so if one fails, others protect: input validation + parameterized queries (against SQLi), CSP + output encoding (against XSS), WAF + application logic + rate limiting (against attacks). No single control is relied upon alone.
- What is the Same-Origin Policy and why does it matter?
- SOP restricts how scripts from one origin can interact with resources from another origin. An origin is defined by scheme + host + port. It prevents malicious scripts on one site from reading sensitive data from another site the user is logged into.
- How would you secure a REST API?
- Authentication (OAuth 2.0/JWT), authorization checks on every endpoint, input validation, rate limiting, HTTPS only, proper CORS configuration, security headers, API versioning, logging, and monitoring.
- What is the difference between authentication and session management vulnerabilities?
- Authentication vulnerabilities allow attackers to compromise identity verification (weak passwords, credential stuffing). Session management vulnerabilities allow attackers to hijack already-authenticated sessions (session fixation, token theft, inadequate expiration).
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Introduction to Web Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, web, introduction, introduction to web security
Related Information Security Topics