0% found this document useful (0 votes)

60 views

SQL Assign

This document provides an overview of server-side web development technologies and common web application security threats. It discusses PHP, MySQL, and Apache server for building web applications. Popular security vulnerabilities like SQL injection and cross-site scripting are explained. Tools for assessing vulnerabilities like Nmap, Wireshark and SQLMap are reviewed. The document recommends identifying and resolving security issues, updating applications, periodic network testing, and staff training to help secure web applications.

Uploaded by

Mark Zapca

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

60 views

SQL Assign

Uploaded by

Mark Zapca

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 9

1. Introduction 3

2. Server-side technologies 4

2.1. PHP ................................................................................................................4

2.2. MySQL 4

2.3. Apache Server 4

2.4. Comparison and Critical Evaluation 4

3. Web application security threats and impacts 5

3.1. Web application security threats ....................................................................5

3.2. Impact on business operation 7

4. Future enhancement 7

4.1. Critical discussion on used tools 7

4.2. Alternative methods of evaluate web vulnerabilities 8

5. Conclusion and Recommendations 8

6. References 9
DIM18457528

1. Introduction
Defined as a program that is installed on a remote web server, web
applications are delivered over the Internet and respond to requests from the HTTP
protocol. Because web developers are not very well connected to security issues, a
gap is created for vulnerability. The weakness existing in the system, which allows
the intruder to access the data or to obtain complete control of an application is
deficient by the vulnerability. Following the research in the first part of the
assessment, I will discuss SQL injection, exposure of sensitive data, use of
components with a known vulnerability. Currently, a wide range of scripting
languages and technologies are also available for processing and server integration.
At the same time, technologies have their advantages and disadvantages, which
makes it difficult to choose a suitable server environment for developers in
developing their projects.

2
DIM18457528

Figure1. Five standard Web application security procedures (source International

Journal of Cloud Applications and Computing, September 2017)

2. Server side technologies

2.1. PHP
PHP Hypertext Preprocessor (PHP) signifies a programming language utilized
to improve web-based software applications. The main characteristics of PHP are
efficiency, security, simplicity, familiarity, and flexibility. Being one of the most used
web languages, PHP can manage forms, add, remove, and transform elements from
the database. Also, using PHP, we can limit users from locating some pages and
can encrypt data.

2.2. MySQL
MySQL is a fast-relational database system (RDBMS), fast, easy to use for
large and small companies, being launched under an open-source license. MySQL

3
DIM18457528

holds large databases, up to 50 million rows, and maybe even custom, which
enables programmers to adjust the software to suit their demands.

2.3. Apache Server

Managed by the Apache Software Foundation, Apache is the several widely
adopted web server software. Being an open-source software accessible for free, it
operates on 67% of all sites around the earth. It can be customized, using
extensions and modules to satisfy the necessities of numerous circumstances.

2.4. Comparison and Critical Evaluation

Apache server is one kind of server to host your web application and it
survives the response based on the request from the client. Generally, the server-
side web application programming code will be host in Apache server like PHP,
Node.js (Server-side Java-script), Ruby on Rails, etc. From the Apache Server, there
is no direct relationship with the SQL database. The web application may store your
data into the SQL database in the back-end. PHP is a server-side scripting language
that is used to make websites. PHP helps in building the functionality of the web
application. PHP can only be used to make web pages/ web application, it is
concerned with web development. MYSQL, on the other hand, is a database used to
store information. It can be used for a web application, mobile application, or even
for windows.
The choice of technology from the server is very important, they may have
similar capabilities and features we must consider the aspects of availability, ease of
learning, software support and last but not least its cost.

3. Web application security threats and impacts

3.1. Web application security threats
The browser and web servers perform many tasks to render the page on the
user's screen. Users have gained a rich experience with the advent of web 2.0, but
this has also opened the door for hackers who want to gain unauthorized access to
sensitive user and business data. As a result, security experts have begun to focus
on the most common vulnerabilities. Open Web Application Security Risk (OWASP)
has released "OWASP Top 10" which contains the top 10 security risks that have
4
DIM18457528

been classified into three broad categories: Technical Vulnerabilities (60%), Security
Vulnerabilities (25%), and Configuration Vulnerabilities (15%).

Figure2. Breakdown of Vulnerabilities in Web Application

From those 3 categories, OWASP presented in 2017 top 10 Application

Security Risks:

5
DIM18457528

Figure3. OWASP top 10 Application Security Risks (source partnerships.moodle.roehampton

Week 8)

3.2. Impact on business operation

6
DIM18457528

With a changing business environment and advanced web technologies, web

applications are becoming increasingly in demand in today's corporate, public and
government services. Along with the convenience and efficiency offered, these
applications present a series of security threats, which if not treated correctly could
present significant risks for a company's information technology infrastructure.
Because every organization is unique, so are threatening actors who are unique in
their goals and the impact of any violation. For example, if a public interest
organization uses a content management system (CMS) for public information and a
health system uses the same CMS for sensitive health records, the threat actors and
the impact on the organization may be different for the same software. Organizations
need to understand the risks they are exposed to and the impact on business if the
necessary preventive measures are not taken.

4. Future enhancement
4.1. Critical discussion on used tools
During the first parts of the assessment we have been used different tools and
methods, as Nmap scanning, Wireshark Sniffing and SQL Injection using SQLMAP.
Those Web Application Security testing is open-source software and helped to
detect the vulnerability of the web site from the giving scenario. Nmap scanning is
one of the oldest protection tools in presence (released in 1997) which identify open
ports on remote host and discover vulnerabilities inside the network. Wireshark
allows us to analyze network traffic in actual time and is recognized for its capability
to identify security problems in any network, and last but not least its ability to solve
general network problems. Being a penetration testing tool SQL Map automates the
detection process, providing support for enumerating users, privileges, password
hashes, databases, tables and columns.

4.2. Alternative methods of evaluate web vulnerabilities

During our assignment, it was possible to use different tools than was
required. SQL Ninja, assemblage with Kali Linux configuration is another SQL
vulnerability scanner and is dedicated to exploiting web apps use MS SQL Server as
the back-end database server. Canvas is an alternative to Nmap, which offers over
800 exploits for remote network testing, downloading passwords, taking screenshots
of remote systems, modifying files inside systems and which is particularly helpful for
7
DIM18457528

port scanning and host discovery of large and medium networks. Another alternative
is Wapiti, which is based on the command line written in Python, even if it is not the
popular instrument in this area, it easily finds security imperfections in various web
applications such as SQL injections, XSS attacks, fake application and others.

5. Conclusion and Recommendation

In conclusion, vulnerability assessment is very useful because it provides
information about the security of selected websites. In our assessment,
vulnerabilities were found in all web hosts, which revealed that there are security
issues. As technology evolves, new techniques exploited by computer systems
evolve, and it is important to be aware of such techniques in order to combat security
threats. It can be seen that managerial problems or management errors contribute
immensely to security threats, administrators or the web director being those who do
not recognize certain security threats and has as a result the reduction of the
organization's rupture. or security issues are often resolved through short-term
recovery, resulting in rapid problems.
Based on the findings, it is recommended that all security issues be identified
and resolved, applications on web servers need to be updated and changed to more
secure, it is necessary to periodically test network security, testing corruption of
memory and service denial must be done on web servers and last but not least, staff
need to be trained on how to maintain network security.

8
DIM18457528

6. References
Almin, S. B. (n.d.). Web Server Security and Survey on Web Application Security. (I. J.
Communication, Ed.) Retrieved 03 2020, from academia.edu:
https://www.academia.edu/7197737/Web_Server_Security_and_Survey_on_Web_A
pplication_Security

Detection, Avoidance, and Attack Pattern Mechanisms in Modern Web Application

Vulnerabilities: Present and Future Challenges. (2017, July-September ).
International Journal of Cloud Applications and Computing. Retrieved from
https://www.researchgate.net/publication/317014729_Detection_Avoidance_and_Att
ack_Pattern_Mechanisms_in_Modern_Web_Application_Vulnerabilities_Present_an
d_Future_Challenges/link/593192b0a6fdcc89e7a0bcb7/download

Leena Jacob, V. M. (n.d.). Web Application Security: A Survey . International Journal of

Computer Science and Information Technologies. Retrieved 04 2020, from
http://www.ijcsit.com/

MySQL. (n.d.). Retrieved 04 2020, from tutorialspoint.com:

https://www.tutorialspoint.com/php/index.htm

PHP. (n.d.). Retrieved 04 2020, from tutorialspoint:

https://www.tutorialspoint.com/php/index.htm

Shiflett, C. (2005). Essential PHP Security. "O'Reilly Media, Inc.".

TEAM, S. (Ed.). (2018). Top 15 Ethical Hacking Tools Used by Infosec Professionals.
Retrieved 03 2020, from https://securitytrails.com/: https://securitytrails.com/blog/top-
15-ethical-hacking-tools-used-by-infosec-professionals

Vincent Appiah, M. A.-B. (2018). Survey of Websites and Web Application Security Threats
Using Vulnerability Assessment. Science Publications, Journal of Computer Science.
Retrieved 03 20, 2020, from
https://www.researchgate.net/publication/338022001_Survey_of_Websites_and_We
b_Application_Security_Threats_Using_Vulnerability_Assessment/link/
5e0b3f4c4585159aa4a715a6/download

Web Aplication Security. (n.d.). Retrieved 2020, from Roehampton Partnerships Moodle:
https://partnerships.moodle.roehampton.ac.uk/course/view.php?id=813