This final lesson synthesizes everything we've learned โ HTTP, HTML, JavaScript, web servers, databases, and authentication โ into a comprehensive understanding of how modern web applications are architected. Understanding the full architecture is what separates a script kiddy from a professional security tester. You need to see the whole picture to find vulnerabilities that span multiple layers.
Most web applications follow a three-tier architecture pattern, separating concerns into distinct layers:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PRESENTATION TIER โ
โ (Browser / Client-Side) โ
โ HTML, CSS, JavaScript, SPA Frameworks โ
โ XSS, CSRF, Client-Side Logic Bypass โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ APPLICATION TIER โ
โ (Server / Business Logic) โ
โ Node.js, Python, Java, PHP, Go, .NET โ
โ SQL Injection, Auth Bypass, IDOR, SSRF โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ DATA TIER โ
โ (Database / Storage) โ
โ MySQL, PostgreSQL, MongoDB, Redis โ
โ Data Exposure, Privilege Escalation โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโApplications can be structured as a single monolithic codebase or split into microservices. Each approach has different security implications:
| Aspect | Monolithic | Microservices |
|---|---|---|
| Structure | Single deployable unit | Multiple independent services |
| Communication | In-process function calls | HTTP/gRPC message queues |
| Attack Surface | Single entry point | Multiple API endpoints |
| Vulnerability Impact | One breach = full access | Blast radius may be limited |
| Security Complexity | Simpler to secure perimeter | Complex inter-service auth |
| Common Issues | Tightly coupled, hard to patch | Service discovery, API gateway misconfigs |
Let's map out a typical modern web application and identify the security-relevant components at each layer:
User's Browser
โ
โผ
[CDN / WAF] โโโโโโโโ DDoS protection, caching, bot detection
โ
โผ
[Load Balancer] โโโโ Distributes traffic, SSL termination
โ
โผ
[Reverse Proxy] โโโโ Nginx/Apache, URL rewriting, rate limiting
โ
โผ
[Application Server] Express/Django/Spring โ business logic
โ โ โ
โผ โผ โผ
[Cache] [Database] [Message Queue]
Redis MySQL/PG RabbitMQ/Kafka
โ
โผ
[Object Storage] โโโโ S3/Blob โ files, images, backupsEach component in this stack is a potential attack target. A comprehensive security assessment must consider every layer โ from the CDN configuration to the database permissions. Missing any layer means missing potential vulnerabilities.
Most modern web applications expose RESTful APIs that the front-end (or mobile apps) communicate with. REST APIs use HTTP methods to perform CRUD (Create, Read, Update, Delete) operations on resources identified by URLs.
RESTful API Design Pattern:
GET /api/users โ List all users
GET /api/users/42 โ Get user with ID 42
POST /api/users โ Create a new user
PUT /api/users/42 โ Replace user 42 entirely
PATCH /api/users/42 โ Update specific fields of user 42
DELETE /api/users/42 โ Delete user 42
GET /api/users/42/orders โ Get orders for user 42REST APIs are a primary target for security testing. Common vulnerabilities include IDOR (accessing /api/users/43 when you're user 42), mass assignment (sending extra fields like "role": "admin" in a PATCH request), and broken authentication on API endpoints.
Modern applications implement security at multiple layers โ this is called Defense in Depth. No single control is perfect, so multiple overlapping controls provide resilience:
The OWASP Top 10 is the most widely recognized list of critical web application security risks. Everything in this course maps to one or more OWASP Top 10 categories:
| OWASP Top 10 (2021) | Related Course Topics |
|---|---|
| A01: Broken Access Control | Authentication, HTTP methods, IDOR |
| A02: Cryptographic Failures | HTTPS/TLS, password hashing, JWT security |
| A03: Injection | SQL Injection, NoSQL Injection, Command Injection |
| A04: Insecure Design | Architecture patterns, threat modeling |
| A05: Security Misconfiguration | Server headers, default configs, cloud metadata |
| A06: Vulnerable Components | External scripts, outdated libraries |
| A07: Auth & Identity Failures | Session management, MFA, password policies |
| A08: Software & Data Integrity | CI/CD security, SRI, unsigned updates |
| A09: Logging & Monitoring Failures | Security monitoring, incident detection |
| A10: SSRF | Cloud metadata, internal network access via web apps |
To tie everything together, let's trace a realistic attack scenario across the entire architecture:
Scenario: Attacker targets a banking web application
1. RECONNAISSANCE
- Identifies the app uses React SPA + REST API
- Discovers API endpoints via browser DevTools Network tab
- Finds server: nginx/1.18.0, framework: Express.js
- Identifies the API: /api/v1/accounts/{id}/transfer
2. AUTHENTICATION ATTACK
- Creates account, analyzes JWT tokens
- Discovers JWT uses RS256 but server accepts HS256
- Forges admin token using the public key as HMAC secret
3. AUTHORIZATION BYPASS (IDOR)
- Authenticated as admin, tests /api/v1/accounts/1234/transfer
- Changes account ID to 5678 โ succeeds (IDOR vulnerability)
- Can transfer money from any account
4. DATA EXFILTRATION
- Uses forged admin token + IDOR to enumerate all accounts
- Exfiltrates data via the API responses
LESSONS: This attack chain spans HTTP analysis, JWT
cryptography, authentication, AND authorization.
Understanding the full architecture is essential.๐ก This course has given you the foundation. The next steps in your learning path are: Web Application Penetration Testing (hands-on offensive security), Secure Coding Practices (defensive security), and specialized topics like API security, cloud security, and mobile app security.
As you move forward in your security career, remember these fundamental principles:
Verify exercises to earn โ 150 XP and unlock next lab level.