I am a web app developer, and recently one of my apps was hacked. I wanted to know what are the possible kinds of attacks done on web application (in detail) and methods on how to prevent those.
What have I tried? :
I know about many attacks & try my best to secure the apps from those. Currently I use this a my security reference while developing web apps.
Can someone recommend any other better links with detailed explanation on web app security.
Ok, well there's tonnes of stuff on Owasp so I'd strongly encourage you to explore their site more. Maybe one of their chapters is close to you, you could attend one of them as they're free.
Here's a few good threads from this forum that have tonnes of information -
What is a Web Application Firewall -> there's links here to ModSecurity, which has many good articles and blogs
I'd also consider installing things like vulnerable web applications like Webgoat and DVWA to learn from them.
There's loads of excellent informatin and cheatsheets here but sadly RSnake doesn't post any more.
Sans have an appsec blog here also.
Finally and by no means least, I'd have a long look at the Secure Development stuff from @securityninja.
That should be enough to get started.
Web app security is a huge area. There are hundreds of possibilities and tools to hack an web application. As you are a developer, this is the quick high level classification break down of issues.
Flaws in web app design and frame work - This is my favorite, most of the web app issues I discovered are from this one reason, these are specific to the web app. Each of these issues can be unique and only applicable to this one app. Just a poor design of an application can cause smaller issues like these that has larger consequences - data leakage, poor app configurations and web structure, poor access control and accountability - unauthorized/unrestricted access across web app across various data, system information disclosure for enumeration, un-secured content and cross domain cross system access, user activity and work/process flow enumeration, poor security on web services - wsdl/soap, flaws in session & requests handling, parameter overflows causing DoS or remote code execution. These might seem as low risk items but they can lead from one to another and possibly offer an easy hack that doesn't require any smart exploitation.
Injections - SQL, LDAP etc back end databases require queries to read/write data and certain parameters of these queries (even an entire query) can contain user's direct malicious input. simple way to stop this is input validation. There are lot of study resources on this.
Tampering/altering parameters and requests - XSS, CSRF, session reuse/hijack etc are basically an malicious user providing an unexpected input. Validate every input, every thing to easily avoid this.
Web server issues - This is on the system that runs the web app, any miss-configuration and flows in the web server process can possibly cause buffer overflow, DoS etc.
