Common Security Mistakes in Web Apps{2}

by Asim K
When creating a website, especially one that is either controversial or recieves a lot of hits, one is entrusted with the golden realm of keeping the website secure. Among just getting the website up, one has to worry about a multitude of issues including general security on the web. Is user data safe? Can an attacker pollute fake data onto your website? These are just some questions author Philip Tellis raises of Smashing Magazine. The first security mistake mentioned is Cross Site Scripting. This would be pulling and executing code from an attacker’s site, except on the server of the victim website. The second is Cross Site Request Forgery, where a website can trick visitors into performing an action onto a victim site. The third valuable tip is Click Jacking where buttons are invisibly coded onto websites to trick users into submitting information they would never have to begin with. The fourth is most relevant to our class: it is SQL Injection. SQL Injectin is a method when an attacker exploits inputs inside the website to gain access to the database server and make changes to it from the control they’ve received. SQL injection even gives the attacker power to run any line of sql code they want on your server, including the drop tables function which drops all information from your database. Similar to this is Shell Injection, which accesses priveledges on websites to add JavaScript or HTML code that is unwanted. The last and most popular is Phishing, which is creating scam websites.

When I was in High School, I had an acquaintance who, it seemed, was vehemently active in the online hacking community. During sophomore year, I joined his online hacking community online because, at the time, I thought hackers were one of the coolest people on the planet. To create with permission is one thing, but to destroy regardless of permission is another: it is a display of ones power. One of the basic hacking techniques he explained to me was SQL injection. At the time, I had no idea what a database was and what SQL was so it was tough for me to grab the concepts. Although I tried to learn, I felt like I was trying to land further than I could jump, and going at a pace that was too advanced for me – what eventually happened is that the online community broke apart and I lost interest. The scary part was that most of the people who were involved in the online community were high school students. These guy were passionate about their hacking, and to think a high school student could take down a large scale website is scary indeed, especially with the amount of information available freely about hacking online. This Smashing Magazine article, for example, could be used for either good or bad. Ultimately it depends on the user’s intentions.

Tellis, P. (2010, October 18). Common security mistakes in web applications. Retrieved from