A web application is an application that runs on a remote
server and is accessed through a client. A web app can take
the form of services such as Microsoft’s Office 365 or Netflix.
The application is presented through a client interface such as a browser or other piece of
software.
Web applications have become incredibly popular on several fronts over the last few
years because they provide tremendous flexibility and power. These apps can be written to
offer their unique services to a specific platform, or they can be platform agnostic and thus
able to offer their power across architectures.
When mobile computing is brought into play, the picture becomes even more interesting
as some apps are created to be run locally whereas others are pure web apps. Web apps
are designed to be run across platforms, and native apps are designed or targeted toward a
specific platform or environment.
In this chapter we will explore web applications and how to attack and compromise them.
Exploring the Client-Server Relationship
Before we discuss the client-server relationship, you must understand the types of
individuals who will be interacting with a web server. Typically you break them into three
classes, each with their own specific needs and concerns:
Server Administrators These individuals are typically concerned with the safety, security,
and functioning of the web server from an operational standpoint. They try to configure
the system and remove vulnerabilities before they become problems. For some server
administrators, this has become an almost impossible task because web servers and the
applications that run on them have become increasingly complex and powerful, with many
unknown or undocumented features.
Network Administrators These individuals are concerned with the infrastructure and
functioning of the network itself as a whole. They look for operational and security issues
and attempt to deal with them.
End Users Those in this category interact with the web server and application as a
consumer and user of information. These individuals do not think about the technical
details as much as getting the services that they desire when they desire them. Making this
more of an issue is the simple fact that the web browser they are using to access this content
can allow threats to bypass their or the company’s firewall and have a free ride into the
internal network.