loading
Loading content
loading
Also known as appsec, web app security
Web application security covers the controls that keep a browser-facing app and its APIs from being abused. The hard problems sit where the application trusts something it should not: user input that becomes a database query or HTML, a session token that can be stolen or forged, an access check that the server skips, or a server-side request that an attacker steers. Each gap maps to a class of bug with its own techniques and defenses.
The work matters because web apps are the front door to most organizations and they change constantly, so new code reopens old holes. Attackers reach them from anywhere, and a single injection or auth flaw can expose the whole backing data store.
The common flaw classes have their own entries: SQL injection when input reaches a query, XSS when input reaches the page, and SSRF when the server can be made to fetch attacker-chosen URLs. The OWASP Top Ten groups these and other categories into a reference most teams test against.
In a Trickest workflow you crawl an application, fingerprint its stack, and run targeted checks for each flaw class on a schedule, so regressions in newly shipped endpoints get caught instead of waiting for the next manual review.
Related terms