Common vulnerabilities in web application and the impact of an application firewall on their security

Spletne aplikacije so v današnjem času postale ključni del naših dejavnosti v vsakdanjem življenju, kot so na primer zabava, krajšanje časa, raziskovanje in poslovanje. Z vsemi omenjenimi dejavnostmi obstaja možnost, da pride do izkoriščanja teh spletnih storitev z znanimi tipi napadov. Glavni namen diplomskega dela je bil, spoznati deset najpogostejših tipov ranljivosti, predstavljenih v seznamu OWASP iz leta 2021. V sklopu zaključnega dela smo izvedli eksperiment, kjer smo ranljive aplikacije najprej predstavili in demonstrirali prisotno ranljivost, ter v nadaljevanju preizkusili vpliv aplikacijskega požarnega zidu imenovanega ModSecurity. Ugotovili smo, da aplikacijski požarni zid bolje ščiti pred pomanljkljivostmi, ki v zahtevah pošiljajo znano škodljivo in zlonamerno kodo, kot na primer vrivanje stavkov SQL ali ukazne kode. Ranljivosti, ki so povezane z zasnovo aplikacije in površnostjo pri postavitvi, pa v tem primeru niso bile zaščitene.Today, web applications have become a key part of our everyday activities, such as entertainment, shortening the time, research and business. With all these activities, there is a potential for exploiting these web services with known types of attacks. The main purpose of our thesis was to learn about the ten most common types of vulnerabilities presented in the 2021 OWASP list. As part of the thesis, we conducted an experiment where we first presented the vulnerable applications and demonstrated the vulnerabilities present, and further tested the impact of an application firewall called ModSecurity. We found that the application firewall better protects against vulnerabilities that send known malicious and harmful code in requests, such as injecting SQL statements or command code. However, vulnerabilities related to application design and sloppy deployment were not protected in this case