Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 04. Web Foundations / 06. Backend

Backend

The backend is the portion of an application that executes on the server.

Unlike the frontend, which runs inside the user's browser, backend code executes on systems controlled by the organization hosting the application.

Users never directly see backend code. Instead, they interact with it indirectly by sending requests.


What Does The Backend Do?

Backend applications are responsible for:

  • Processing requests
  • Performing business logic
  • Authenticating users
  • Accessing databases
  • Communicating with other services
  • Generating responses

Example:

A user clicks:

<button>Login</button>

The browser sends:

POST /login

The backend:

  1. Receives the request
  2. Validates credentials
  3. Queries the database
  4. Creates a session
  5. Returns a response

Frontend vs Backend

FrontendBackend
BrowserServer
HTMLApplication Code
CSSBusiness Logic
JavaScriptAuthentication
User ControlledServer Controlled

The frontend gathers information.

The backend makes decisions.


Common Backend Technologies

Backend applications can be written in many programming languages.

Common examples include:

TechnologyLanguage
ASP.NETC#
SpringJava
FlaskPython
DjangoPython
ExpressJavaScript
FastAPIPython
GinGo

Although the technologies differ, they all perform roughly the same tasks.


Example Request Flow

A user visits:

https://portal.corp.local/profile

Browser:

GET /profile

↓

Web Server

↓

Backend Application

↓

Database

↓

Response Returned

The backend may retrieve information from multiple sources before generating the final response.


Backend APIs

Modern applications often expose APIs.

Instead of returning HTML pages, they return data.

Example:

GET /api/users/1

Response:

{
    "id": 1,
    "name": "Operator"
}

The frontend then renders that information to the user.

Many modern applications are little more than a frontend consuming backend APIs.


Why Operators Care

Most impactful web vulnerabilities ultimately exist within backend functionality.

Examples include:

  • SQL Injection
  • Command Injection
  • Authentication Bypass
  • File Upload Vulnerabilities
  • Path Traversal
  • Server-Side Request Forgery (SSRF)
  • Insecure Direct Object References (IDOR)

Although the frontend may expose the functionality, the vulnerability usually exists within backend logic.


Trust Boundaries

One of the most important concepts in web security is understanding trust boundaries.

The backend should assume that every request received from a user may be malicious.

Anything originating from the client should be treated as untrusted input.

Examples include:

  • Form fields
  • Cookies
  • HTTP Headers
  • URL Parameters
  • Uploaded Files
  • JSON Data

A secure backend validates all input before using it.

However, this does not remove the need for frontend validation as well!


Backend Compromise

If an attacker successfully compromises a backend application, they may gain access to:

  • Sensitive data
  • Credentials
  • Internal services
  • Databases
  • Source code
  • The underlying operating system

Many real-world intrusions begin with a vulnerable backend application.


Key Principle

The frontend presents information.

The backend makes decisions.

Security controls should be enforced by the backend, not by the browser.