Write a research report on the security concerns, issues and vulnerabilities of HTML, angularjs and CSS in web application projects. (500 words).

The present report addresses different security concerns of HTML, angularjs and CSS and how it can be reduced. HTML5 brings major functions and features that face potential security vulnerabilities such as flaws and invariability. Up to now, a significant real-world attack on HTML5 was not observed. Still, there are potential threats that promote vulnerabilities, issues and concerns. Some of the issues are cross-document messaging, local storage, attribute abuse, inline multimedia savvy, and input validation. HTML does not allow the process of passing one page from the domain to the other for the access of data. Javascript code is required to read the position of the mouse pointer in another page therefore, it requires a combination of javascript and HTML to work together. It works for the prevention of malicious site from the legitimate page and intercepting data. HTML5 does not provide origin check and in such cases, the careless developer might not reach the actual process of origin verification and leave the script exposed to the post message requests from the other malicious sites. HTML5 is the offline storage and client-side SQL that can be accessed by any javascript based web page. The existed virtue of third-party development under web applications.  The threat can trigger the automatic script execution. Another issue associated with HTML5 is multimedia savvy. The process browses developer to the implementation of the complex rendering of bugs (Weiss, 2010).

Angularjs is an open-source and front-end javascript framework and different angular applications are developed on the single page application (SPA). In case of angularJS, if the attacker has access to the control angularjs expression and template there are high chances that they can exploit an application through the XSS attack regardless of the version. Generation of angularJS templates on the servers contribute to the user-provided content. That generate HTML through the server-side engine such as ASP NET, Java, and PHP.  The angular separates the online scripts of javascript CSS, and HTML that is compatible with the inline scripts. Another issue of the javascript happens when the malicious payload can manipulate to the cause of code execution. The issues of angularjs include expression and templates for the sandbox removal, HTTP requests that are cross-site request forgery (XSRF/CSRF) with the JSON hijacking protection, strict contextual escaping and other local caches. The attackers with the local access can then retrieve the information and sensitive data from the cache even if the users are not authenticated. Strict contextual escaping (SCE) in the angularJS mode requires binding by rendering arbitrary content. The simplest version of third-party attach is cross-site scripting (XSS) attacks (Docs. angularjs. org, 2020).

Some major CSS concerns are visited link, keyloggers, data thief, and inline system block whoopsie. The report provides tickling information about the issues, concerns, and vulnerabilities. The value attribute in CSS does not change the framework and the CSS powered keylogger could have access. Another issue of CSS authentication is that the site displays sensitive information from the social security number (SSN) from the prefilled form. If the CSS form customization faces issues than it is due to the attack vector. It could close the style tag, open script tag and nefarious javascript.    

1- Write a research report on database vulnerabilities (Firebase Database) that can be exploited against web applications, including any security issue. Include recommendations and suggestions of a database system which can be a good replacement of Firebase. (500 words).

Firebase is the web and mobile application development platform that was developed by firebase Inc. In 2011 and they google acquired it in 2014. The firebase is the Realtime database URL that is accessible to the REST endpoint. The only single step to access is to append.Json at the end of the URL and then forward a request to the favourite HTTP client. In this way, it becomes easy to access the real-time database. The firebase database URL is accessible without any requirement of authentication and database contains sensitive information. The main recommended use restricts the access of the database and the user can access it after ignoring the alert. If the database contains the sensitive information, the users are recommended to implement restrict access on the database. The related vulnerabilities include .rlogin services running, charge service running, oracle database listener, SSL certificate key issues, and web cache poisoning. The chargen services run on the host and intended for measurement and testing with the TCP and UDP protocols. The open TCP connection sent an arbitrary character to the server and connect to the host. The connection remains as long as the server host closes the connection. In case of UDP version, the protocol and server send a UDP packet that contains a random number of character and it receives the number to connect the host. The data received by the server can be thrown away and the chargen services can spoof the process of sending data from the service. The action results in an infinite loop that creates a denial of service attack. To reduce the issue or overcome the consequences the best solution is to disable the service. In this issue, the related vulnerabilities are that trace method is enabled, extended Unicode directory of IIS, insecure crossdomain .xml file and management console of JBoss JMX. The issue of Rlogin service running occurs with the services running on the host. The working of Rlogin is to allow the number of users to have a connection through the host network. The physical issue presented has several serious problems regarding security. The information such as password is transmitted unencrypted and become vulnerable to the interception. The protocol partly depends on the misuse of the password and login information. The corrupt client becomes able to forge the system and gain access to valuable information. The common practice of users is highly insecure as home directories through the NFS exposes the .rlogin attack by the means of fake .rhost files. It means that all the data and NFS (.rlogin) is automatically insecure once it has been used through rlogin. The recommended solution is that if the user is not using the service then disable it. Another solution is to replace rlogin with SSH and rlogin equivalent Slogin (Acunetix. com, 2020). 

Firebase database faces web cache poisoning issue that is due to the caching system. The manipulation of some specific inputs in the cookies and headers can be used in this process of third party attack. In such situations, it is possible to force the caching system as a response that contains user-controlled input. The cached response can be then served later to the victim and increase the possibilities of vulnerabilities. The solution is to use an HTTP response header that changes the key inputs and protect from the web cache poisoning. 

2- Write a business report on professional, legal, regulatory and ethical standards that should be followed by team members of a web application project. Include best practices in web application projects, code of ethics and conduct in web application projects. (500 words).  

The prime concern of the present report is to demonstrate the ethical, legal, professional, and regulatory standards that are required to be followed by the team members in the web application project or open web application security project (OWASP). Based on the type of project and web development, the report provides a complete code of ethics and code of conduct for the developers to be followed. We adhere the code of ethics and prefer honest client dealing all the time (Oreilly. com, 2020). As a professional web developer, the following code of ethics are required to be followed and to set the ethical guidelines that govern the business activities. 

1. The web developers are supposed to work honestly and fairly with the clients and make the efforts within budget and timeframe. 

2. It is important to ensure the abilities to complete the work and there should be no potential misleading of customers. 

3. The information of the client should be under privacy concern and do not distribute the information that can be deceptive, scandalous, defamatory, and libellous.

4. The information provided by the client will not be disclosed to the third parties except under some conditions that are specified in the privacy policy of the company. 

5. In any event, the client will be provided with an active account that must be working. All the information will be further delivered to the client to move their domain (Oreilly. com, 2020). 

6. The web developers are required to assure that they will not utilize any excessive and deceptive search engine optimization techniques. There will be no pop-up windows, pop-under windows and other intrusive technologies for advertisement.  

7. There will be no participation of web developer in the activity that cause artificial inflation of the website statistics for the generation of more revenues from the advertisement.

8. The web developer is required to use the simplest code that can provide the required outcome and they will utilize advanced scripting technologies. The use of advanced technologies is based on the type of work and it will be done after having the client in confidence. The only purpose of using advanced technologies is to enhance the visitor experience and site effectiveness (Acunetix. com, 2020).       

The common security vulnerabilities that web developers are supposed to be aware of are under the list of open web application security project (OWASP) that published a list of critical web application security flaws.  In the OWASP, top security flaws are considered that are listed below,

1. Sensitive data exposure 

2. Injection 

3. Broken authentication 

4. Cross-site request forgery

5. Missing function level 

6. Unvalidated forwards and redirects

7. Components with some unknown vulnerabilities

8. Insecure direct object   

9. Cross-site scripting

10. Security misconfigurations  

References of issues and vulnerabilities of HTML, angularjs and CSS in web application projects

Acunetix. Com, 2020. Rlogin service running. [Online] 

Available at: https://www.acunetix.com/vulnerabilities/web/rlogin-service-running/

Docs. Angularjs. Org, 2020. Security. [Online] 

Available at: https://docs.angularjs.org/guide/security

Oreilly. Com, 2020. Building web apps that respect a user’s privacy and security. [Online] 

Available at: https://www.oreilly.com/content/building-web-apps-that-respect-a-users-privacy-and-security/

Weiss, A., 2010. Top 5 Security Threats in HTML5. [Online] 

Available at: https://www.esecurityplanet.com/trends/article.php/3916381/Top-5-Security-Threats-in-HTML5.htm