search
Home

Introduction to Web Applications

Introduction to Web Applications provides a foundational understanding of how modern web applications work, covering core concepts such as client–server architecture, frontend and backend technologies

hashtag
1. Introduction to Web Applications

A web application is an interactive software system accessed via a web browser that processes user input, applies business logic on the server, and returns dynamic responses.

hashtag
Key Characteristics

  • Runs over HTTP/HTTPS

  • Platform-independent (browser-based)

  • Combines front end, back end, and database

  • Highly exposed attack surface

hashtag
Web Application vs Website

Feature
Website
Web Application

Content

Static

Dynamic

Interaction

Minimal

High

User-specific

Authentication

Rare

Common

Attack Surface

Low

High

hashtag
2. Web Application Architecture

hashtag
Client–Server Model

  • Client: Browser or mobile app sending HTTP requests

  • Server: Processes requests and returns responses

hashtag
Architecture Models

  • Single-tier: Everything on one server

  • Multi-tier: Web, App, DB separated

  • Microservices: Independent services communicating via APIs

  • Serverless: Cloud-managed execution (AWS Lambda, etc.)

hashtag
Security Implication

More components = larger attack surface + misconfiguration risk

hashtag
3. Front End vs Back End

hashtag
Front End

Runs entirely in the browser.

Technologies

  • HTML – structure

  • CSS – styling

  • JavaScript – logic

Security Notes

  • Client-side validation is NOT security

  • Source code is always visible

  • Main target for XSS

hashtag
Back End

Runs on the server.

Responsibilities

  • Authentication & authorization

  • Business logic

  • Database interaction

  • Session handling

Security Notes

  • Trust boundary

  • Source code usually hidden

  • Target for SQLi, command injection, logic flaws

hashtag
4. HTML (HyperText Markup Language)

hashtag
Purpose

Defines structure and content of a web page.

hashtag
Common Elements

  • <html>, <head>, <body>

  • <h1><h6> headings

  • <form>, <input>, <textarea>

  • <img>, <a>

hashtag
HTML Injection

Occurs when user input is inserted into HTML without sanitization.

Example:

Payload:

hashtag
5. CSS (Cascading Style Sheets)

hashtag
Purpose

Controls layout, color, fonts, and responsiveness.

hashtag
Syntax

hashtag
Security Context

  • Rarely a direct vuln

  • Can assist XSS (CSS-based data leaks, UI redress)

hashtag
6. JavaScript

hashtag
Purpose

Adds interactivity and logic on the client side.

hashtag
Common Uses

  • DOM manipulation

  • Event handling

  • Fetching APIs

  • Form validation

hashtag
DOM-Based XSS

Occurs when JavaScript writes untrusted data to the DOM.

Dangerous sinks:

  • innerHTML

  • document.write()

  • eval()

hashtag
7. Web Servers

hashtag
Role

  • Accept HTTP requests

  • Serve static content

  • Forward dynamic requests to app

hashtag
Common Web Servers

  • Apache

  • Nginx

  • IIS

hashtag
HTTP Request Flow

Client → Web Server → Application → Database → Response

hashtag
HTTP Status Codes

  • 2xx: Success

  • 3xx: Redirect

  • 4xx: Client error

  • 5xx: Server error

hashtag
8. Back-End Servers & Stacks

hashtag
Common Technology Stacks

  • LAMP: Linux + Apache + MySQL + PHP

  • WAMP: Windows + Apache + MySQL + PHP

  • MEAN: MongoDB + Express + Angular + Node.js

hashtag
OS Role

  • Linux & Windows dominate

  • OS misconfigurations can lead to full compromise

hashtag
9. Databases

hashtag
Relational Databases (SQL)

  • Tables, rows, columns

  • Strong schema

  • Examples: MySQL, PostgreSQL, MSSQL

hashtag
Non-Relational Databases (NoSQL)

  • Key-value, document, graph

  • Flexible schema

  • Examples: MongoDB, Redis

hashtag
Database Risks

  • SQL Injection

  • Weak credentials

  • Exposed backups

hashtag
10. Development Frameworks & APIs

hashtag
Frameworks

  • Django / Flask (Python)

  • Spring (Java)

  • ASP.NET (C#)

  • Express (Node.js)

hashtag
APIs

Enable communication between systems.

hashtag
REST

  • Uses HTTP methods

  • JSON responses

  • Stateless

hashtag
SOAP

  • XML-based

  • Strict schema

  • Less common today

hashtag
11. Common Web Vulnerabilities

hashtag
Broken Authentication & Access Control

  • IDOR

  • Missing role checks

  • Forced browsing

hashtag
HTML Injection

  • Input rendered as HTML

hashtag
Cross-Site Scripting (XSS)

  • Reflected

  • Stored

  • DOM-based

hashtag
Cross-Site Request Forgery (CSRF)

  • Abuse of authenticated sessions

  • Missing CSRF tokens

hashtag
Sensitive Data Exposure

  • Credentials in HTML/JS

  • Debug endpoints

  • Exposed backups

hashtag
File Upload Vulnerabilities

  • Web shell upload

  • Extension bypass

hashtag
Command Injection

  • OS command execution via input

hashtag
SQL Injection

  • Data theft

  • Auth bypass

  • Potential RCE

hashtag
12. Public Vulnerabilities & CVEs

hashtag
CVE

  • Public vulnerability identifier

hashtag
CVSS Scoring

Severity
Score

Low

0.1–3.9

Medium

4.0–6.9

High

7.0–8.9

Critical

9.0–10.0

hashtag
13. Attacking Web Applications (Methodology)

1

hashtag
Recon & mapping

Gather information about the target, discover endpoints, subdomains, and technologies.

2

hashtag
Identify inputs

Find all input vectors: parameters, headers, cookies, file uploads, and third-party integrations.

3

hashtag
Trace data flow

Follow how input moves through the application to understand processing and transformations.

4

hashtag
Reach sinks

Locate dangerous sinks where untrusted data impacts behavior (DB queries, command execution, HTML rendering).

5

hashtag
Chain vulnerabilities

Combine multiple issues to achieve a more impactful result (auth bypass, RCE, data exfiltration).

hashtag
14. Defensive Concepts

  • Input validation

  • Output encoding

  • Authentication hardening

  • Authorization checks

  • Secure headers

  • Logging & monitoring

hashtag
15. Learning Path Forward

  • HTTP deep dive

  • Manual testing

  • Source code review

  • OWASP Top 10 mastery

  • Real-world lab practice

hashtag
16. Resources & Further Reading

hashtag
Web Application Fundamentals

  • https://en.wikipedia.org/wiki/Web_application

  • https://en.wikipedia.org/wiki/Client%E2%80%93server_model

  • https://en.wikipedia.org/wiki/Three-tier_architecture

  • https://aws.amazon.com/microservices/

  • https://cloud.google.com/learn/what-is-a-web-application

hashtag
Frontend Technologies

HTML

  • https://developer.mozilla.org/en-US/docs/Web/HTML

  • https://www.w3.org/TR/html52/

  • https://www.w3schools.com/html/

CSS

  • https://developer.mozilla.org/en-US/docs/Web/CSS

  • https://www.w3schools.com/css/

  • https://www.w3.org/Style/CSS/Overview.en.html

JavaScript

  • https://developer.mozilla.org/en-US/docs/Web/JavaScript

  • https://developer.mozilla.org/en-US/docs/Web/API

  • https://www.w3schools.com/js/

hashtag
Web Servers & Backend

  • https://httpd.apache.org/docs/

  • https://nginx.org/en/docs/

  • https://learn.microsoft.com/en-us/iis/

  • https://en.wikipedia.org/wiki/Web_server

  • https://developer.mozilla.org/en-US/docs/Learn/Server-side

hashtag
Databases

Relational (SQL)

  • https://en.wikipedia.org/wiki/Relational_database

  • https://dev.mysql.com/doc/

  • https://learn.microsoft.com/en-us/sql/

  • https://www.postgresql.org/docs/

Non-Relational (NoSQL)

  • https://en.wikipedia.org/wiki/NoSQL

  • https://www.mongodb.com/nosql-explained

  • https://redis.io/docs/

hashtag
Web Security & Vulnerabilities

OWASP

  • https://owasp.org/www-project-top-ten/

  • https://cheatsheetseries.owasp.org/

  • https://owasp.org/www-community/attacks/

Common Attacks

  • https://owasp.org/www-community/attacks/xss/

  • https://owasp.org/www-community/attacks/csrf

  • https://owasp.org/www-community/attacks/SQL_Injection

  • https://owasp.org/www-community/attacks/Command_Injection

hashtag
Testing & Offensive Security

  • https://portswigger.net/web-security

  • https://portswigger.net/burp

  • https://www.exploit-db.com/

  • https://attack.mitre.org/

hashtag
Public Vulnerabilities & CVSS

  • https://cve.mitre.org/

  • https://nvd.nist.gov/

  • https://www.first.org/cvss/

  • https://www.cvedetails.com/

PreviousWeb RequestsNextNetwork

Last updated