7/9/2016

WhatAreWebApplications?

Web Applications: What are They? What of Them?

Web Applications or Website Widgets
Over the past decade or so, the web has been embraced by millions of businesses as an inexpensive channel
to communicate and exchange information with prospects and transactions with customers.
In particular, the web provides a way for marketers to get to know the people visiting their sites and start
communicating with them. One way of doing this is asking web visitors to subscribe to newsletters, to
submit an application form when requesting information on products or provide details to customize their
browsing experience when next visiting a particular website.
The web is also an excellent sales channel for a myriad of organizations, large or small: with over 1 billion
Internet users today (source: Computer Industry Almanac, 2006), US e-commerce spending accounted for
$102.1 billion in 2006 (Source: comScore Networks, 2007).
All this data must be somehow captured, stored, processed and transmitted to be used immediately or at a
later date. Web applications, in the form of submit elds, enquiry and login forms, shopping carts, and
content management systems, are those website widgets that allow this to happen.
They are, therefore, fundamental to businesses for leveraging their online presence thus creating longlasting and protable relationships with prospects and customers.
No wonder web applications have become such a ubiquitous phenomenon. However, due to their highly
technical and complex nature, web applications are a widely unknown and a grossly misunderstood xture
in our everyday cyber-life.

Web applications dened

From a technical view-point, the web is a highly programmable environment that allows mass customization
through the immediate deployment of a large and diverse range of applications, to millions of global users.
Two important components of a modern website are exible web browsers and web applications; both
available to all and sundry at no expense.
Web browsers are software applications that allow users to retrieve data and interact with content located
on web pages within a website.
Todays websites are a far cry from the static text and graphics showcases of the early and mid-nineties:
modern web pages allow personalized dynamic content to be pulled down by users according to individual
preferences and settings. Furthermore, web pages may also run client-side scripts that change the Internet
browser into an interface for such applications as web mail and interactive mapping software (e.g., Yahoo
Mail and Google Maps).
Most importantly, modern web sites allow the capture, processing, storage and transmission of sensitive
customer data (e.g., personal details, credit card numbers, social security information, etc.) for immediate
and recurrent use. And, this is done through web applications. Such features as webmail, login pages,
support and product request forms, shopping carts and content management systems, shape modern
websites and provide businesses with the means necessary to communicate with prospects and customers.
These are all common examples of web applications.
Web applications are, therefore, computer programs allowing website visitors to submit and retrieve data
to/from a database over the Internet using their preferred web browser. The data is then presented to the
user within their browser as information is generated dynamically (in a specic format, e.g. in HTML using
CSS) by the web application through a web server.
http://www.acunetix.com/websitesecurity/webapplications/

1/6

7/9/2016

WhatAreWebApplications?

For the more technically oriented, Web applications query the content server (essentially a content
repository database) and dynamically generate web documents to serve to the client (people surng the
website). The documents are generated in a standard format to allow support by all browsers (e.g., HTML or
XHTML). JavaScript (http://www.acunetix.com/websitesecurity/javascript/) is one form of client side script
that permits dynamic elements on each page (e.g., an image changes once the user hovers over it with a
mouse). The web browser is key it interprets and runs all scripts etc. while displaying the requested pages
and content. Wikipedia brilliantly terms the web browser as the universal client for any web application.
Another signicant advantage of building and maintaining web applications is that they perform their
function irrespective of the operating system and browsers running client side. Web applications are quickly
deployed anywhere at no cost and without any installation requirements (almost) at the users end.
As the number of businesses embracing the benets of doing business over the web increases, so will the
use of web applications and other related technologies continue to grow. Moreover, since the increasing
adoption of intranets and extranets, web applications become greatly entrenched in any organizations
communication infrastructures, further broadening their scope and possibility of technological complexity
and prowess.
Web applications may either be purchased o-the-shelf or created in-house.

How do web applications work?

The gure below details the three-layered web application model. The rst layer is normally a web browser
or the user interface; the second layer is the dynamic content generation technology tool such as Java
servlets (JSP) or Active Server Pages (ASP), and the third layer is the database containing content (e.g., news)
and customer data (e.g., usernames and passwords, social security numbers and credit card details).

(http://www.acunetix.com/wp-content/uploads/2012/10/web-apps.gif)
The gure below shows how the initial request is triggered by the user through the browser over the
Internet to the web application server. The web application accesses the databases servers to perform the
requested task updating and retrieving the information lying within the database. The web application then
presents the information to the user through the browser.

http://www.acunetix.com/websitesecurity/webapplications/

2/6

7/9/2016

WhatAreWebApplications?

Web Security (http://www.acunetix.com/websitesecurity/web-security/)

Issues
Despite their advantages, web applications do raise a number of security concerns stemming from improper
coding. Serious weaknesses or vulnerabilities, allow hackers to gain direct and public access to databases in
order to churn sensitive data. Many of these databases contain valuable information (e.g., personal and
nancial details) making them a frequent target of hackers. Although such acts of vandalism as defacing
corporate websites are still commonplace, nowadays, hackers prefer gaining access to the sensitive data
residing on the database server because of the immense pay-os in selling the data.
In the framework described above, it is easy to see how a hacker can quickly access the data residing on the
database through a dose of creativity and, with luck, negligence or human error, leading to vulnerabilities in
the web applications.
As stated, websites depend on databases to deliver the required information to visitors. If web applications
are not secure, i.e., vulnerable to, at least one of the various forms of hacking techniques, then your entire
database of sensitive information is at serious risk.
Some hackers, for example, may maliciously inject code within vulnerable web applications to trick users and
redirect
them
towards
phishing
sites.
This
technique
is
called
Cross-Site
Scripting
(http://www.acunetix.com/websitesecurity/cross-site-scripting/) and may be used even though the web
servers and database engine contain no vulnerability themselves.
Recent research shows that 75% of cyber attacks are done at web application level.

http://www.acunetix.com/websitesecurity/webapplications/

3/6

7/9/2016

WhatAreWebApplications?

Websites and related web applications must be available 24 hours a day, 7 days a week, to provide the
required service to customers, employees, suppliers and other stakeholders.
Firewalls and SSL provide no protection against web application hacking, simply because access to the
website has to be made public All modern database systems (e.g. Microsoft SQL Server, Oracle and
MySQL) may be accessed through specic ports (e.g., port 80 and 443) and anyone can attempt direct
connections to the databases eectively bypassing the security mechanisms used by the operating
system. These ports remain open to allow communication with legitimate trac and therefore constitute
a major vulnerability.
Web applications often have direct access to backend data such as customer databases and, hence,
control valuable data and are much more dicult to secure. Those that do not have access will have
some form of script that allows data capture and transmission. If a hacker becomes aware of weaknesses
in such a script, he may easily reroute unwitting trac to another location and illegitimately hive o
personal details.
Most web applications are custom-made and, therefore, involve a lesser degree of testing than o-theshelf software. Consequently, custom applications are more susceptible to attack
Web applications, therefore, are a gateway to databases especially custom applications which are not
developed with security best practices and which do not undergo regular security audits. In general, you
need to answer the question: Which parts of a website we thought are secure are open to hack attacks?
and what data can we throw at an application to cause it to perform something it shouldnt do?.
This is the work of a web vulnerability scanner.

Acunetix Web Vulnerability Scanner

Proof of such exploits are readily available on the Internet and are the subject of discussion in several press
releases by Acunetix, a leading vendor of web application security products. Click here
(http://www.acunetix.com/vulnerability-scanner/) to learn more about Acunetix Web Vulnerability Scanner.

Scanning for XSS vulnerabilities with Acunetix WVS Free Trial

http://www.acunetix.com/websitesecurity/webapplications/

4/6

7/9/2016

WhatAreWebApplications?

Scanning for XSS vulnerabilities with Acunetix WVS Free Trial

To check whether your website has cross site scripting vulnerabilities, download the 14-day Trial of Acunetix
WVS (http://www.acunetix.com/vulnerability-scanner/download/). This version will scan any website / web
application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the
vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending
on the size of the web-site).

Subscribe for Updates

Subscribe

Enter E-Mail

Learn More
SQL Injection (http://www.acunetix.com/websitesecurity/sql-injection/)
Cross-site Scripting (http://www.acunetix.com/websitesecurity/cross-site-scripting/)
Web Site Security (http://www.acunetix.com/websitesecurity/web-site-security/)
Directory Traversal (http://www.acunetix.com/websitesecurity/directory-traversal/)
AJAX Security (http://www.acunetix.com/websitesecurity/ajax/)
Troubleshooting Apache (http://www.acunetix.com/websitesecurity/troubleshooting-tips-for-apache/)
WordPress Security (http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-securewordpress-application/)
Drupal Security (http://www.acunetix.com/blog/articles/drupal-security-top-tips-to-secure-your-drupalapplication/)
Joomla! Security (http://www.acunetix.com/blog/articles/joomla-security-measures/)

Find Us on Facebook

Acunetix
LikePage

12klikes

Product Information
HTML5 Security (http://www.acunetix.com/vulnerability-scanner/html5-website-security/)
AcuSensor Technology (http://www.acunetix.com/vulnerability-scanner/acusensor-technology/)
DeepScan Technology (http://www.acunetix.com/vulnerability-scanner/crawling-html5-javascript-websites/)
Blind XSS Detection (http://www.acunetix.com/vulnerability-scanner/acumonitor-blind-xss-detection/)
http://www.acunetix.com/websitesecurity/webapplications/

5/6

7/9/2016

WhatAreWebApplications?

Network Security Scanning (http://www.acunetix.com/vulnerability-scanner/network-security-scanner/)

Website Security
Cross-site Scripting (http://www.acunetix.com/websitesecurity/cross-site-scripting/)
SQL Injection (http://www.acunetix.com/websitesecurity/sql-injection/)
DOM-based XSS (http://www.acunetix.com/websitesecurity/improving-dom-xss-vulnerabilities-detection/)
CSRF Attacks (http://www.acunetix.com/websitesecurity/csrf-attacks/)
Directory Traversal (http://www.acunetix.com/websitesecurity/directory-traversal/)

Learn More
PHP Security (http://www.acunetix.com/websitesecurity/php-security-1/)
Web Service Security (http://www.acunetix.com/websitesecurity/web-services-wp/)
WordPress Security (http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-secure-wordpress-application/)
AJAX Application Security (http://www.acunetix.com/websitesecurity/ajax/)
PCI Compliance (http://www.acunetix.com/websitesecurity/pci-compliance-wp/)

Documentation
FAQs (http://www.acunetix.com/support/faq/)
Videos (http://www.acunetix.com/support/videos/)
Web Vulnerabilities (//acunetix.com/vulnerabilities/web/)
Network Vulnerabilities (//www.acunetix.com/vulnerabilities/network/)
Trojans and Backdoors (//www.acunetix.com/vulnerabilities/trojans/)

Acunetix, 2016 (http://www.acunetix.com)

About (http://www.acunetix.com/company/)

Acunetix Online Login (https://ovs.acunetix.com)

Pen-Testing Tools (http://www.acunetix.com/vulnerability-scanner/pen-testing-tools/)

Web Application Security (http://www.acunetix.com/vulnerability-scanner/web-application-security/)
JavaScript Security (http://www.acunetix.com/vulnerability-scanner/javascript-html5-security/)
HIPAA Compliance (http://www.acunetix.com/websitesecurity/hipaa-compliance-standards/)

http://www.acunetix.com/websitesecurity/webapplications/

6/6