IJSRST173747 | Received : 10 Sep 2017 | Accepted : 19 Sep 2017 | September-October-2017 [(3) 7: 182-198] © 2017 IJSRST | Volume 3 | Issue 7 | Print ISSN: 2395-6011 | Online ISSN: 2395-602X Themed Section: Science and Technology 182 Major Web Application Threats for Data Privacy & Security Detection, Analysis and Mitigation Strategies Varun M Deshpande *1 , Dr. Mydhili K. Nair 2 , Dhrumil Shah 3 * 1 PhD Student, Department of C.S.E., Jain University, Bangalore, India 2 Professor, Department. of I.S.E., M S Ramaiah Institute of Technology, Bangalore, India 3 Application Security Specialist, Bangalore, India ABSTRACT In the context of information security, privacy and data security are inseparable, interdependent and complement each other. This is truer in social networking and e-commerce where user‟s personal data including financial transaction data is at stake. Web application security threats have posed several challenges to ensuring data security of any web application hosted on cloud. These threats have been evolving in severity and the potential impact that it causes to service provider and the user‟s personal data that it hosts. Current work is an effort to educate the readers about major vulnerabilities that exist among security threats listed as part of Open Web Application Security Project‟s (OWASP) top ten web security threats. We provide detailed guidelines on how to detect, and analyse these vulnerabilities using tools such as Burp Suite. Recommendations and best practices for developing a secure development life cycle and following secure coding practices are discussed at length to empower developers to mitigate and avoid these vulnerabilities in their application at different stages of software development. This work is a timely and technically informative reminder for all the service providers to build trustable solutions for secure cloud based services and move towards trusted computing and to ensure user data‟s privacy and security. Keywords: Privacy, data security, digital identity, OWASP, web application threats I. INTRODUCTION A. Privacy and Security Complementary concepts In the world of information security, terms privacy and security are often used on behalf of each other. Although it is technically not the same, they are hugely inter- dependent and form 2 faces of the coin named “information security”. To illustrate this thought, let us consider a service provider which hosts large amounts of its consumer‟s personally identifiable information, such as financial transaction records and other personal information which is ought to be kept in private and in reasonable safety. Suppose, an external malicious agent can hack into the service provider‟s servers and able to gain access to all these user data records. He can then use it for gaining unfair financial benefit or even cause harm to the users and the service provider. Private user information which had to be secured, is now an asset of the hacker. Hence, data security is the door keeper of the fortress of data privacy. If the service provider‟s data security is breached, the private information which is stored in the server is vulnerable to data theft and loss of privacy. Loss of privacy due to data security breach has happened several times in recent past as highlighted by Varun M Deshpande et al. [6]. Yahoo (2016) announced that about 500 million of its user records were compromised. About 360 million records from MySpace (2016) was hacked by hackers. One concern with soft data is that, even after data is stolen, the data still exits on the hard drive making it extremely difficult to proactively detect a data theft. Therefore, in some cases, the data theft is detected several months or years after the actual breach. For example, Dropbox recently discovered that about 70 million user records were compromised years ago, back in 2012. Even Linkedin reported in 2016 that it had underwent a data breach in the year 2012, when 6.5 million passwords were stolen.