12/29/2015

What Are Web Applications?

Web Applications: What are They? What of Them?

Web Applications or Website Widgets
Over the past decade or so, the web has been embraced by millions of businesses as an
inexpensive channel to communicate and exchange information with prospects and transactions
with customers.
In particular, the web provides a way for marketers to get to know the people visiting their sites
and start communicating with them. One way of doing this is asking web visitors to subscribe to
newsletters, to submit an application form when requesting information on products or provide
details to customize their browsing experience when next visiting a particular website.
The web is also an excellent sales channel for a myriad of organizations, large or small: with over 1
billion Internet users today (source: Computer Industry Almanac, 2006), US e-commerce spending
accounted for $102.1 billion in 2006 (Source: comScore Networks, 2007).
All this data must be somehow captured, stored, processed and transmitted to be used
immediately or at a later date. Web applications, in the form of submit fields, enquiry and login
forms, shopping carts, and content management systems, are those website widgets that allow
this to happen.
They are, therefore, fundamental to businesses for leveraging their online presence thus creating
long-lasting and profitable relationships with prospects and customers.
No wonder web applications have become such a ubiquitous phenomenon. However, due to their
highly technical and complex nature, web applications are a widely unknown and a grossly
misunderstood fixture in our everyday cyber-life.

Web applications defined

From a technical view-point, the web is a highly programmable environment that allows mass
customization through the immediate deployment of a large and diverse range of applications, to
millions of global users. Two important components of a modern website are flexible web
browsers and web applications; both available to all and sundry at no expense.
Web browsers are software applications that allow users to retrieve data and interact with content
located on web pages within a website.
Todays websites are a far cry from the static text and graphics showcases of the early and midnineties: modern web pages allow personalized dynamic content to be pulled down by users
according to individual preferences and settings. Furthermore, web pages may also run client-side
scripts that change the Internet browser into an interface for such applications as web mail and
interactive mapping software (e.g., Yahoo Mail and Google Maps).
Most importantly, modern web sites allow the capture, processing, storage and transmission of
sensitive customer data (e.g., personal details, credit card numbers, social security information,
etc.) for immediate and recurrent use. And, this is done through web applications. Such features
as webmail, login pages, support and product request forms, shopping carts and content
management systems, shape modern websites and provide businesses with the means necessary
to communicate with prospects and customers. These are all common examples of web
applications.

http://www.acunetix.com/websitesecurity/web-applications/

1/6

12/29/2015

What Are Web Applications?

Web applications are, therefore, computer programs allowing website visitors to submit and
retrieve data to/from a database over the Internet using their preferred web browser. The data is
then presented to the user within their browser as information is generated dynamically (in a
specific format, e.g. in HTML using CSS) by the web application through a web server.
For the more technically oriented, Web applications query the content server (essentially a content
repository database) and dynamically generate web documents to serve to the client (people
surfing the website). The documents are generated in a standard format to allow support by all
browsers (e.g., HTML or XHTML). JavaScript (http://www.acunetix.com/websitesecurity/javascript/)
is one form of client side script that permits dynamic elements on each page (e.g., an image
changes once the user hovers over it with a mouse). The web browser is key it interprets and
runs all scripts etc. while displaying the requested pages and content. Wikipedia brilliantly terms
the web browser as the universal client for any web application.
Another significant advantage of building and maintaining web applications is that they perform
their function irrespective of the operating system and browsers running client side. Web
applications are quickly deployed anywhere at no cost and without any installation requirements
(almost) at the users end.
As the number of businesses embracing the benefits of doing business over the web increases, so
will the use of web applications and other related technologies continue to grow. Moreover, since
the increasing adoption of intranets and extranets, web applications become greatly entrenched in
any organizations communication infrastructures, further broadening their scope and possibility
of technological complexity and prowess.
Web applications may either be purchased off-the-shelf or created in-house.

How do web applications work?

The figure below details the three-layered web application model. The first layer is normally a web
browser or the user interface; the second layer is the dynamic content generation technology tool
such as Java servlets (JSP) or Active Server Pages (ASP), and the third layer is the database
containing content (e.g., news) and customer data (e.g., usernames and passwords, social security
numbers and credit card details).

(http://www.acunetix.com/wp-content/uploads/2012/10/web-apps.gif)

http://www.acunetix.com/websitesecurity/web-applications/

2/6

12/29/2015

What Are Web Applications?

The figure below shows how the initial request is triggered by the user through the browser over
the Internet to the web application server. The web application accesses the databases servers to
perform the requested task updating and retrieving the information lying within the database. The
web application then presents the information to the user through the browser.

Web Security (http://www.acunetix.com/websitesecurity/websecurity/) Issues

Despite their advantages, web applications do raise a number of security concerns stemming from
improper coding. Serious weaknesses or vulnerabilities, allow hackers to gain direct and public
access to databases in order to churn sensitive data. Many of these databases contain valuable
information (e.g., personal and financial details) making them a frequent target of hackers.
Although such acts of vandalism as defacing corporate websites are still commonplace, nowadays,
hackers prefer gaining access to the sensitive data residing on the database server because of the
immense pay-offs in selling the data.
In the framework described above, it is easy to see how a hacker can quickly access the data
residing on the database through a dose of creativity and, with luck, negligence or human error,
leading to vulnerabilities in the web applications.
As stated, websites depend on databases to deliver the required information to visitors. If web
applications are not secure, i.e., vulnerable to, at least one of the various forms of hacking
techniques, then your entire database of sensitive information is at serious risk.
Some hackers, for example, may maliciously inject code within vulnerable web applications to trick
users and redirect them towards phishing sites. This technique is called Cross-Site Scripting
(http://www.acunetix.com/websitesecurity/cross-site-scripting/) and may be used even though the
web servers and database engine contain no vulnerability themselves.
http://www.acunetix.com/websitesecurity/web-applications/

3/6

12/29/2015

What Are Web Applications?

Recent research shows that 75% of cyber attacks are done at web application level.

Websites and related web applications must be available 24 hours a day, 7 days a week, to
provide the required service to customers, employees, suppliers and other stakeholders.
Firewalls and SSL provide no protection against web application hacking, simply because access
to the website has to be made public All modern database systems (e.g. Microsoft SQL Server,
Oracle and MySQL) may be accessed through specific ports (e.g., port 80 and 443) and anyone
can attempt direct connections to the databases effectively bypassing the security mechanisms
used by the operating system. These ports remain open to allow communication with
legitimate traffic and therefore constitute a major vulnerability.
Web applications often have direct access to backend data such as customer databases and,
hence, control valuable data and are much more difficult to secure. Those that do not have
access will have some form of script that allows data capture and transmission. If a hacker
becomes aware of weaknesses in such a script, he may easily reroute unwitting traffic to
another location and illegitimately hive off personal details.
Most web applications are custom-made and, therefore, involve a lesser degree of testing than
off-the-shelf software. Consequently, custom applications are more susceptible to attack
Web applications, therefore, are a gateway to databases especially custom applications which are
not developed with security best practices and which do not undergo regular security audits. In
general, you need to answer the question: Which parts of a website we thought are secure are
open to hack attacks? and what data can we throw at an application to cause it to perform
something it shouldnt do?.
This is the work of a web vulnerability scanner.

Acunetix Web Vulnerability Scanner

http://www.acunetix.com/websitesecurity/web-applications/

4/6

12/29/2015

What Are Web Applications?

Proof of such exploits are readily available on the Internet and are the subject of discussion in
several press releases by Acunetix, a leading vendor of web application security products. Click
here (http://www.acunetix.com/vulnerability-scanner/) to learn more about Acunetix Web
Vulnerability Scanner.

Scanning for XSS vulnerabilities with Acunetix WVS Free Trial

To check whether your website has cross site scripting vulnerabilities, download the 14-day Trial of
Acunetix WVS (http://www.acunetix.com/vulnerability-scanner/download/). This version will scan
any website / web application for XSS vulnerabilities and it will also reveal all the essential
information related to it, such as the vulnerability location and remediation techniques. Scanning
for XSS is normally a quick exercise (depending on the size of the web-site).

Subscribe for Updates

Subscribe

Enter E-Mail

Learn More
SQL Injection (http://www.acunetix.com/websitesecurity/sql-injection/)
Cross-site Scripting (http://www.acunetix.com/websitesecurity/cross-site-scripting/)
Web Site Security (http://www.acunetix.com/websitesecurity/web-site-security/)
Directory Traversal (http://www.acunetix.com/websitesecurity/directory-traversal/)
AJAX Security (http://www.acunetix.com/websitesecurity/ajax/)
Troubleshooting Apache (http://www.acunetix.com/websitesecurity/troubleshooting-tips-forapache/)
WordPress Security (http://www.acunetix.com/websitesecurity/wordpress-security-top-tipssecure-wordpress-application/)

Find Us on Facebook

Acunetix
Like Page

10k likes

Product Information
HTML5 Security (http://www.acunetix.com/vulnerability-scanner/html5-website-security/)
AcuSensor Technology (http://www.acunetix.com/vulnerability-scanner/acusensor-technology/)
http://www.acunetix.com/websitesecurity/web-applications/

5/6

12/29/2015

What Are Web Applications?

DeepScan Technology (http://www.acunetix.com/vulnerability-scanner/crawling-html5-javascript-websites/)

Blind XSS Detection (http://www.acunetix.com/vulnerability-scanner/acumonitor-blind-xss-detection/)
Network Security Scanning (http://www.acunetix.com/vulnerability-scanner/network-security-scanner/)

Website Security
Cross-site Scripting (http://www.acunetix.com/websitesecurity/cross-site-scripting/)
SQL Injection (http://www.acunetix.com/websitesecurity/sql-injection/)
DOM-based XSS (http://www.acunetix.com/websitesecurity/improving-dom-xss-vulnerabilities-detection/)
CSRF Attacks (http://www.acunetix.com/websitesecurity/csrf-attacks/)
Directory Traversal (http://www.acunetix.com/websitesecurity/directory-traversal/)

Learn More
PHP Security (http://www.acunetix.com/websitesecurity/php-security-1/)
Web Service Security (http://www.acunetix.com/websitesecurity/web-services-wp/)
WordPress Security (http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-secure-wordpressapplication/)
AJAX Application Security (http://www.acunetix.com/websitesecurity/ajax/)
PCI-DSS Compliance (http://www.acunetix.com/websitesecurity/pci-compliance-wp/)

Documentation
FAQs (http://www.acunetix.com/support/faq/)
Videos (http://www.acunetix.com/support/videos/)
Web Vulnerabilities (//acunetix.com/vulnerabilities/web/)
Network Vulnerabilities (//www.acunetix.com/vulnerabilities/network/)
Trojans and Backdoors (//www.acunetix.com/vulnerabilities/trojans/)

Acunetix, 2015 (http://www.acunetix.com)

About (http://www.acunetix.com/company/)

Acunetix Online Login (https://ovs.acunetix.com)

Pen-Testing Tools (http://www.acunetix.com/vulnerability-scanner/pen-testing-tools/)

Web Application Security (http://www.acunetix.com/vulnerability-scanner/web-application-security/)
JavaScript Security (http://www.acunetix.com/vulnerability-scanner/javascript-html5-security/)
HIPAA Compliance (http://www.acunetix.com/websitesecurity/hipaa-compliance-standards/)

http://www.acunetix.com/websitesecurity/web-applications/

6/6