OWASP Web Security Basics

Before diving into specific attacks and defenses, you need a clear picture of how web applications work and where attackers strike. This topic builds that foundation.

How a Web Application Works

Every web application has three main parts working together:

  [ User's Browser ]
        |
        |  HTTP/HTTPS Request
        v
  [ Web Server ]  (e.g., Nginx, Apache)
        |
        |  Passes request to application logic
        v
  [ Application Server ]  (e.g., Node.js, PHP, Python)
        |
        |  Reads or writes data
        v
  [ Database ]  (e.g., MySQL, PostgreSQL)

When you visit a website, your browser sends a request. The server reads it, fetches data, and sends back a response. Every step in this chain is a potential target for an attacker.

The Three Things Security Protects

Confidentiality

Only the right people see the right data. Example: your bank balance is visible only to you, not to strangers.

Integrity

Data cannot be changed by unauthorized parties. Example: no one should be able to alter your transaction amount after you submit it.

Availability

The application stays up and running for legitimate users. Example: a shopping site stays online during a sale event, even under heavy traffic.

These three goals are called the CIA Triad and every security control you will learn in this course protects one or more of them.

What Is a Vulnerability?

A vulnerability is a weakness in a system that an attacker can use to cause harm. Think of it like a cracked window in a house. The crack itself does not hurt anyone, but it gives a burglar a way in.

What Is a Threat?

A threat is any potential event that could exploit a vulnerability. The burglar walking down the street looking for cracked windows is the threat.

What Is Risk?

  Risk = Likelihood of attack  x  Impact if attack succeeds

A cracked window on the ground floor of a busy city street has high likelihood AND high impact — that is a high-risk vulnerability. A cracked window on a 40th floor has low likelihood — that is low risk even though the window is still cracked.

HTTP: The Language of the Web

Attackers exploit HTTP requests and responses constantly, so you need to recognize the basic structure.

A Simple HTTP Request

  GET /account?id=123 HTTP/1.1
  Host: bank.example.com
  Cookie: session=abc456

A Simple HTTP Response

  HTTP/1.1 200 OK
  Content-Type: text/html

  <html>Your balance is $500</html>

Attackers manipulate the URL parameters, headers, cookies, and request body to trick the server into doing something it should not.

Input Is the Root of Most Attacks

Almost every major web attack starts with untrusted input. When an application accepts data from a user and uses it directly — without checking it — attackers inject malicious commands disguised as normal data.

  Attacker sends:      ' OR '1'='1
  Application treats it as valid input
  Database executes:   SELECT * FROM users WHERE name='' OR '1'='1'
  Result:              All user records returned to attacker

Validating and sanitizing every piece of input is the single most impactful habit a developer can build.

HTTPS vs HTTP

HTTP sends data in plain text. Anyone on the same network can read it. HTTPS encrypts data in transit so eavesdroppers see only gibberish. Always use HTTPS for any site that handles user data.

Key Takeaway

Web security protects the browser-server-database chain. Most attacks exploit untrusted input. The CIA Triad — confidentiality, integrity, availability — is the goal every defense works toward.

Previous lessons
Back to courses
Next lessons

Leave a Comment