Analyzing the Security and Risk of WEB Applications

　　 1。 History of Network Application

In the early stage of the development of the Internet, the World Wide Web was composed of websites, which were basically information bases containing static documents. Later, people invented the web browser, through which they can retrieve and display those documents. This related information flow is only one-way from the server to the browser. Most websites do not verify the legitimacy of users, because it is unnecessary to do so; All users are treated equally and provide the same information. The security threats brought by website creation are mainly related to the vulnerabilities of network server software.  

Attackers cannot obtain any sensitive information through the intrusion of websites, because the information stored on the server can be viewed publicly. Therefore, attackers often modify the files on the server to distort the content of the website, or use the storage capacity and bandwidth of the server to spread "illegal software". Today's World Wide Web is completely different from the early World Wide Web. Most websites on the Internet are actually applications. They are powerful and realize the two-way information transmission between the server and the browser. They support registration and login, financial transaction, search and user created content. The content acquired by users is generated in a dynamic form, which can usually meet the special needs of each user. Many of the information they deal with is private and highly sensitive. Therefore, security issues are crucial: if people think that network applications will disclose their information to unauthorized visitors, they will refuse to use network applications.  

　　 Website development It brings new major security threats. Different applications have different vulnerabilities. Many applications are developed independently by developers, and many application developers know little about the security problems that may be caused by the code they write. In order to realize core functions, network applications usually need to establish connections with internal computer systems, which retain highly sensitive data and can perform powerful business functions. Fifteen years ago, if you needed to transfer money, you had to go to the bank and ask the bank staff to help you complete the transaction. Today, you can access the bank's web application and complete your own transfer transactions. Attackers who enter network applications can steal personal information, commit financial fraud or commit malicious acts against other users.

2. Network application security

Like any emerging technology, network applications have also brought a series of new security vulnerabilities. These common gaps also "keep pace with the times". Attacks that some developers did not consider when developing existing applications emerge in endlessly. Due to the strengthening of safety awareness, some problems have been solved. The development of new technology will also bring new loopholes. The improvement of web browser software has basically eliminated some defects. The most serious attacks on Wb applications are those that can expose sensitive data or gain unrestricted access to the backend system running the application. This highly targeted attack often occurs, but for many organizations, any attack that causes system interruption is a major event.  

By implementing application level denial of service attacks, you can achieve the same purpose as traditional resource exhaustion attacks against infrastructure. However, implementing these attacks usually requires more complex operations and is aimed at specific targets. For example, these attacks can be used to destroy specific users or services, thereby gaining a competitive advantage in areas such as finance and trade, gambling, online bidding and ticket booking.  

During the whole development process, there were no reports of well-known network applications being damaged. The situation does not seem to have improved, and there is no indication that these security issues have been resolved. It can be said that the field of network application security is the most important battlefield between computer resources and data maintainers today, and this situation will continue in the foreseeable future.