In the early days of the Internet, the World Wide Web consisted only of web
sites. These were essentially information repositories containing static docu
ments. Web browsers were invented as a means of retrieving and displaying
those documents, as shown in Figure 1-1. The fl ow of interesting information
was one-way, from server to browser. Most sites did not authenticate users,
because there was no need to. Each user was treated in the same way and was
presented with the same information. Any security threats arising from host
ing a website were related largely to vulnerabilities in web server software (of
which there were many). If an attacker compromised a web server, he usually
would not gain access to any sensitive information, because the information
held on the server was already open to public view. Rather, an attacker typically
would modify the fi les on the server to deface the web site’s contents or use the
server’s storage and bandwidth to distribute “warez.”
Today, the World Wide Web is almost unrecognizable from its earlier form.
The majority of sites on the web are in fact applications (see Figure 1-2). They
are highly functional and rely on two-way fl ow of information between the
server and browser. They support registration and login, fi nancial transactions,search, and the authoring of content by users. The content presented to users
is generated dynamically on the fl y and is often tailored to each specifi c user.
Much of the information processed is private and highly sensitive. Security,
therefore, is a big issue. No one wants to use a web application if he believes
his information will be disclosed to unauthorized parties.
Web applications bring with them new and signifi cant security threats. Each
application is different and may contain unique vulnerabilities. Most applica
tions are developed in-house — many by developers who have only a partial
understanding of the security problems that may arise in the code they are
producing. To deliver their core functionality, web applications normally require
connectivity to internal computer systems that contain highly sensitive data and
that can perform powerful business functions. Fifteen years ago, if you wanted
to make a funds transfer, you visited your bank, and the teller performed the
transfer for you; today, you can visit a web application and perform the transfer
yourself. An attacker who compromises a web application may be able to steal
personal information, carry out fi nancial fraud, and perform malicious actions
against other users.