What Are Web Applications?

Welcome to the Uphack beginner’s Demistifying the Web course! In this first lesson, we introduce the concepts of web application and web browser, and answer to one of the most common questions for beginner ethical hackers: “Why should I start my information security career learning how to hack web applications?”. Let’s get started.

Prerequisites	None, but we recommend you watch this video on How the Internet works. It takes only 5 minutes!
Objective	To get familiar with the concept of web application, what it is useful for, and how it differs from a website.
TL;DR	Years ago, the Web was only used by a handful of universities and military organisations. Nowadays, web applications are a core asset of our society. A web application is a collection of dynamic webpages that can be accessed through a web browser (e.g., Google Chrome, Mozilla Firefox, Safari). A webpage is a document written in HTML, CSS, and Javascript. A website is a collection of static webpages. Therefore, it always shows exactly the same hardcoded content regardless of how the user interacts with the website. A web browser is a computer program whose job is to intermediate the communication between the user and web applications. Starting your career with web application security is an excellent decision as most of the penetration testing jobs focus on web security. Therefore, it shouldn’t be so hard to find a job if you are experienced in this area.

The Web has been around for more than 40 years, but it was not always as you know it today. A few decades ago, before gaining mainstream popularity, the Web was almost an insignificant technology used only by a handful of universities and military organisations. The first web applications were quite simple, but due to their widespread adoption, the early 2000s saw a shift to more and more complex web applications. Nowadays, they are an essential asset to our society. We use web applications for almost any imaginable purpose: to enrich our social life, to manage our finances, and even to vote for the leaders. But what exactly is a web application?

What is a web application?

Simply put, web applications are application accessible through the web that generates web pagesA web page, or simply a page, is a document that can be displayed in a web browser. Typically, they are written in HTML, CSS, and Javascript. dynamically, often based on user interactions. Basically, when you use your web browser, you are likely interacting with a web application. They are the most common way to make information and services available on the Internet.

And they are great for a number of reasons.

Availability

First, web applications are available 24/7, and portability is the best word to describe them. All you need is a web browser and an Internet connection, and you are ready to go. That simple, you can access thousands of domains and business from any device, regardless of your operating system. That’s awesome, right?

Easy to Maintain

They are easy to maintain from both a consumer and a business perspective. Web applications are stored on servers. Once you have changed the web application code on your server, those changes will be available in the very next second to all your visitors.

Reduce business costs

Web applications give businesses the ability to increase efficiency while reducing costs. That’s why they are the first choice for businesses willing to promote their services online.

Complexity

Nowadays, web applications can get incredibly complex in order to satisfy the needs of users.

Web application vs website. What’s the difference?

The terms web application and website refers to the same thing: a program that runs on a web browser. However, there is a difference between them. A website is a collection of static pages, while a web application consists of dynamic pages that allow the user to interact with the page (e.g., sign in, post a comment, etc.). Too abstract? Let’s have a look at their architecture to get a better picture.

The above diagram illustrates the basic architecture of a website. As you can see, the workflow is pretty simple: your web browser requests a static pageA static page is a web page that always returns the same hard-coded content from the server. from the web server. If the file exists, the web server responds with a success message and displays the content. Otherwise, if the file cannot be fetched, an error is returned (e.g., 404 Not found).

Figure 2 shows a more complex architecture. Not only the number of componentsdatabase, storage, web application itself, etc. has changed, but the entire workflow seems different. And indeed, it is different.

As we said previously, web applications generate pages on the fly, based on user input. To achieve this, they use HTML files that contain placeholders instead of actual data (templates). When a user sends an HTTP request, the server interprets the request (1) and forwards it to the web application (2). Next, web application fetches the appropriate data from the database, fills the placeholders in the HTML files (3), and returns the newly generated HTML file to the user (4).

What is a web browser?

Web applications use a client-server architecture where the browser is the client, and the application’s servers are the server.

The browser’s job is to intermediate the communication between the user and web application. It translates user requests into a “language”The web browser and server communicates through the HTTP Protocol. We will discuss more in a separate lesson. understood by the server and forwards messages back-and-forth based on user interactions.

Neither web server nor web client can achieve their purpose independently. Without a web server, the browser would have nothing to show you, while without the browser, a web server would not be able to serve you its content.

How web applications work?

Even though we already explored this process in the Web application vs. website section, we mainly focused on what happens at a micro-leveli.e., how dynamic web pages are generated.

Now, let’s take a look at how web applications work from a holistic perspective. The best way to understand this process is by example, so let’s suppose you want to visit google.com in your browser.

1. First, you type google.com in the address bar and hit enter.
2. Your web browser verifies if google.com is a valid domain name and initiates a connection with the web server.
3. The web browser sends your request to Google’s web server.
4. Google’s web server verifies your request and returns the requested information (this can be a page or some data) to your web browser.
5. Now, you can see Google’s home page in your browser.

Of course, this is an oversimplified explanation. There are many other processes behind the scenes, but we will discuss them in a further lesson.

Why shooting the Web?

Now you probably ask yourself why you should start your information security career learning how to hack web applications, right?

Shortly after the dot-com bubble, a significant number of businesses moved their activity on the Web, as the consumer use of the Internet became a possibility. This fast evolution required more complex web applications, which led to new security concerns. Once web applications started to store personal information, credit card data, and other sensitive information, they became a point of interest for fraudsters, too.

In 2019, web applications were responsible for more than a quarter of data breaches. The high value of data transferred through web applications makes them an important part of the overall security of a business.

Starting your career with web application security is an excellent decision for several reasons. Here are just a few of them:

• Most of the penetration testing jobs require web application security knowledge.
• The basics of web security are easier to learn compared to other areas such as malware analysis, exploit development, etc.
• Web applications are increasing in popularity.
• Nowadays, the number of web developers significantly outnumber security staff. Hence, there is a huge demand for web application testers.
• With modern methodologies such as Agile, web development occurs at near-light speed. However, short testing time allows many web vulnerabilities to reach the production environment.

Conclusion

The evolution of web applications has influenced how businesses are run nowadays. Since they handle data of millions of users, web applications must be secure. But in order to identify their weaknesses, you must have a comprehensive understanding of how they work, and how they don’t. In the next lessons, we will explore different architectures, technologies, and protocols used by web applications. Make sure you check them before getting into more technical concepts.