P1 Concept of Web Application Development

P1.1 Critically Evaluate the Functions and Advantages of Web Applications

Web applications are software programs or logically related interactive functions that fulfill a particular business requirement and are stored on remote servers and are accessible over client computers via web browser interface. These can be a combination of browser supported website design programming language like JavaScript, HTML and CSS etc and require web browser to render the application. Examples of web applications are: www.Google.com, www.gmail.com, www.facebook.com, www.yahoo.com, www.flipkart.com, .com, www.ebay.com, www.jabong.com, wordpress, mediawiki, zencart, joomla, cakephp, www.draw.io etc.
Functions of web applications are:

A web application is comprised of multiple components. These components are included within the web applications based on the scope of the application. E.g. – Payment module (with SSL integration), email component, various forums etc.

One application can provide access to multiple applications. Google can provide access to Gmail, Google docs, you tube, Google maps, Google play store, Google news, Google drive, Google calendar etc.

Major advantages of web applications are:

Web applications are easy to use and are a very good medium to channelize sales and promote business. Anyone with basic knowledge of internet can access the web application.

These applications are easy to develop in substantially less time with various content management system.

With availability of internet web applications can be accessed anywhere and on any of the devices like computers, mobile phones, tablets, ipod’s etc.

Websites are easily customizable as per our needs, user requirements and interest. It is easy to change the look and feel of the application, content can be customized to get displayed on any device.

We do not require to install web application. They can be directly run from client browser.

Web applications are easier to maintain as these are installed on web server and can be accessed via web browsers on various client computers.

We need to apply certain security measures over web applications. There must be proper antivirus scanning of the software over web server.

Web applications can be developed by making use of any of the core technologies like JAVA, ASP.NET, PHP, C++, C#, Ruby on rails etc. or any of the CMS like magento, wordpress, cakephp, joomla etc. for PHP applications.

We can easily increase and enhance the web application by increasing the number of web pages.

(definition/Web-application-Web-app, 2015)
(blog/the-benefits-of-web-based-applications.htm, 2015)
(advantages-disadvantages-using-webauthoring-application-27288.html, 2015)

P1.2 Compare Various Types of Client Side and Server Side Scripting Languages

There are lot many differences in client side and server side web applications. They can be differentiated as follows:

Client Side Scripting Language

Server Side Scripting Language

Client side scripting languages are used to add functionality to the website and make interactive web pages.

Server side scripting languages are used to develop, structure or create the website itself. In PHP there are various CMS (Content management systems like Joomla, cake PHP, Wordpress etc.) available to structure the web application.

Client side programming is the name given to all the scripts that run on client browser.

All the scripts that run on web server are called as server side scripting languages.

The client sends request to web server (e.g. – www.yahoo.com) on behalf of user.

Web server acknowledges the request sent by the user and provides client with some meta data (intermediate data) like page headers and source.

Client side scripting languages do not interact with permanent storage. These interact with local storage like cookies etc.

Server side scripting languages are used to interact with permanent storage like database files etc.

Web browser needs to be script enabled to run these scripts on client computer.

There is no need to enable script over servers.

The source code moves between web server to user’s computers and then runs on web browser.

Script runs directly on web server, HTML pages are generated. This HTML is sent to client browser. An example is interactive websites where user input gets saved in database. Like sign up / login forms.

Examples are: Cascading style sheets (CSS), JavaScript, HTML (Hyper text markup language)

Examples are: Sun-micro systems Java, open source PHP, Microsoft’ ASP.NET, c#, Ruby on rails, visual basic, c/c++ , Delphi, Perl etc.

(Interviews/answer/7393/explain-the-difference-between-client-side-script-and-server, 2015)

P1.3 Discuss Security of Web Applications and Give Suggestions for Improvement

Internet has become common medium of doing business and sharing of information. To keep our application secure and less vulnerable to hacking, a programmer must follow certain habits to protect their application from attack:
Validation – A programmer must always apply some validations to their software to avoid anonymous user input. Both server side as well as client side validations must be applied to make the application more robust and safeguard the application from incorrect or invalid user input. In case of PHP applications you must put validations in JavaScript as well as in PHP. It might happen that user turns off scripting in browser so the client side validations can be bypassed. It is therefore essential to put validations in PHP as well.
Cross Site Scripting (XSS) attacks – Attackers sometimes try to inject pieces of malicious code or script in vulnerable web pages. These script either corrupt the entire software program or provide access to the hackers. Such scripts might also redirect the user to phishing website or bad webpage. strip_tags() must be run to remove all the input tags and htmlentities() must be applied to all the data when data is getting executed in browser.
Cross Site Request Forgery Attack – In such kind of attacks, hackers trick the users to make some transaction without their knowledge or trick them to load sensitive information. Eg. In the codes where programmers make use of GET requests. To avoid this there must be some token associated with post request. During login the application must generate this token and store it in session. Whenever any form gets displayed on screen that requires user input, the token must be provided there as hidden input field and must be validated by the application logic.
Error Message – Programmers of software must make use of generic passwords and must not display all the information in one message. Like ‘Username or password incorrect’ instead of ‘username incorrect’ or ‘password incorrect’.
Protect Session Data – Never store sensitive information like passwords and credit card numbers in session as it is always written in temporary file. Best practice is to encrypt the data stored in session. SessionHandlerInterface can be implemented for session persistence in PHP5.4 and above.
Guessing password: Hackers might apply simple tricks to guess passwords if they know administrator or have an idea about database names. Password must be strong enough and must be at least 8 characters long and must be a combination of alphabets, numbers and special characters. Avoid making use of your name as password and generic things around as password as they can be guessed easily.
SQL Injection attack – By making use of SQL injection, useful information can be accessed from the database by attackers. Hackers try to find that area in web application that is not filtered for escape characters. They inject something like ‘/=) or 1=1’ and connect with the database and fetch useful information.
Spoofing: It is possible to create exact replica of the website and lure the users to enter their confidential information into it. There are many hoax emails used by hackers for stealing user information.
Even if you think that your website does not contain any important information that may be useful for hackers, still you have to be careful while building and maintaining them as web applications are never secure enough over internet and are compromised most of the time. Some measures must be taken to safeguard our online application from malicious attacks:
Updation of antivirus: Antivirus software definition must be updated from time to time and executed over web server to safeguard the web application.
Secured Socket Layer (SSL) certification: Secured socket layer is a standard security technology protocol which is used to safeguard the applications over internet. These establish an encrypted link between web server and web browser. While passing confidential information between web server and website or web browser over client computer, it is good practice to make use of secured socket layer.
Secure File upload: Programmers must design their websites in such a way that they must not allow uploading executable files / HTML files as they might contain malicious scripts which might open up complete website when executed on server.