Web Security Basics

Web security defends against common attacks — XSS (injected scripts), CSRF (forged requests), SQL injection (malicious input) — using output sanitisation, anti-forgery tokens, parameterised queries, and TLS for confidentiality.

Key formulas & points

Skim these first — then read the full notes below.

  • XSS: sanitise output; a Content Security Policy restricts script sources
  • CSRF: use SameSite cookies or anti-forgery tokens
  • SQL injection is prevented by parameterised queries

Topic details

Introduction

This topic covers protecting web applications. You study the major OWASP attack classes and their defences, how HTTPS secures data in transit, how CORS governs cross-origin requests, and how tokens like JWT carry authenticated identity.

Key relations & formulas

Formulas (Indian textbook notation)

  • HTTPS=TLShandshakeestablishingsymmetricsessionkeysHTTPS = TLS handshake establishing symmetric session keys

Formulas (Indian textbook notation)

  • CORScheckstheOriginheaderagainstAccessControlAllowOriginCORS checks the Origin header against Access-Control-Allow-Origin

Formulas (Indian textbook notation)

  • JWTstructure:header.payload.signature(Base64URL)JWT structure: header.payload.signature (Base64URL)

Notation and sign conventions

Relation 1 —
HTTPS=TLShandshakeestablishingsymmetricsessionkeysHTTPS = TLS handshake establishing symmetric session keys

Formulas (Indian textbook notation)

  • HTTPS=TLShandshakeestablishingsymmetricsessionkeysHTTPS = TLS handshake establishing symmetric session keys
Write this relation with symbols exactly as in Deitel Web Dev — Standard reference before substituting numbers. Examiners award partial marks for a correct setup even when arithmetic slips.
Relation 2 —
CORScheckstheOriginheaderagainstAccessControlAllowOriginCORS checks the Origin header against Access-Control-Allow-Origin

Formulas (Indian textbook notation)

  • CORScheckstheOriginheaderagainstAccessControlAllowOriginCORS checks the Origin header against Access-Control-Allow-Origin
Write this relation with symbols exactly as in Deitel Web Dev — Standard reference before substituting numbers. Examiners award partial marks for a correct setup even when arithmetic slips.
Relation 3 —
JWTstructure:header.payload.signatureJWT structure: header.payload.signature

Formulas (Indian textbook notation)

  • JWTstructure:header.payload.signature(Base64URL)JWT structure: header.payload.signature (Base64URL)
Write this relation with symbols exactly as in Deitel Web Dev — Standard reference before substituting numbers. Examiners award partial marks for a correct setup even when arithmetic slips.

Concept in depth

Most web vulnerabilities come from trusting untrusted input. Cross-site scripting injects attacker script into pages, defeated by escaping output and a content security policy that whitelists script sources. Cross-site request forgery tricks a logged-in user’s browser into sending an unwanted request, blocked by SameSite cookies or unpredictable anti-forgery tokens that the attacker cannot supply. SQL injection smuggles commands through input, prevented entirely by parameterised queries that keep data separate from code. Underlying confidentiality comes from HTTPS, whose TLS handshake negotiates symmetric session keys so traffic cannot be read or tampered with in transit, while CORS controls which origins a browser lets a page contact.

Assumptions and validity limits

State assumptions explicitly before using any relation for web security basics — steady state, uniform properties, linear elastic material, ideal gas, incompressible flow, etc., as applicable.
Wrong assumptions invalidate the entire solution even when the formula is correct. In Web Technologies viva and GATE descriptive questions, listing valid assumptions often earns separate marks.

Step-by-step problem approach

1. Read the question and list given data with SI units (common in Web Technologies papers).
2. Draw a neat labelled diagram where applicable — examiners in Indian universities award diagram marks even when arithmetic slips.
3. Identify which relation from this topic applies to web security basics.
4. Use equation 1:
HTTPS=TLShandshakeestablishingsymmetricsessionkeysHTTPS = TLS handshake establishing symmetric session keys
.
5. Use equation 2:
CORScheckstheOriginheaderagainstAccessControlAllowOriginCORS checks the Origin header against Access-Control-Allow-Origin
.
6. Substitute values, compute, and verify units and sign (direction).
7. State conclusion in one line — e.g. safe/unsafe, stable/unstable, feasible/infeasible.

Applications & exam relevance

Web Security Basics appears in web apps and REST APIs. In Indian it software curricula this topic is tested because it connects theory to front-end and back-end web stack.
GATE and semester exams often combine web security basics with earlier units — revise prerequisites before attempting mixed problems.
Industry interview panels sometimes ask: "Where did you use web security basics?" — answer with a lab, mini-project, or plant visit example if possible.

Common mistakes in exams

Students confuse XSS (script injection into the page) with CSRF (forged cross-site requests), think escaping input alone stops SQL injection (use parameterised queries), and assume HTTPS also prevents application-layer attacks like XSS (it does not). Misreading how SameSite cookies mitigate CSRF is common.

Quick revision checklist

Before attempting web security basics problems, confirm you can:
1. XSS: sanitise output; a Content Security Policy restricts script sources
2. CSRF: use SameSite cookies or anti-forgery tokens
3. SQL injection is prevented by parameterised queries
Revise the solved examples in Deitel Web Dev — Standard reference and one previous-year GATE or university paper for this unit.

Worked examples

Try the problem first — open the solution when you are ready to check.

Preventing SQL injection

Problem

A login query concatenates user input: "SELECT * FROM users WHERE name='" + input + "'". Why is this unsafe and what is the fix?

Solution

Input like ' OR '1'='1 alters the query logic to always match. The fix is a parameterised (prepared) query with a bound parameter, so the input is treated strictly as data, never as SQL.

Conceptual check — Web Security Basics

Problem

In a Web Technologies semester or GATE paper you are asked: "State the main assumption, the governing relation, and one practical consequence of web security basics." What should a complete answer include?

Exams & GATE

List the OWASP Top 10 categories for viva and GATE IT.

📖 Standard books (India)

  • Deitel Web DevStandard reference

    Read: Syllabus unit

    Referenced in Indian B.Tech syllabus