Blog

Top 5 Most Dangerous Programming Mistakes

Top 5 Most Dangerous Programming Mistakes
1. Improper Input Validation
Ensure that your input is valid. If you’re expecting a number, it shouldn’t contain letters. Nor should the price of a new car be allowed to be a dollar. Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today’s most common vulnerabilities can be eliminated, or at least reduced, with strict input validation.

2. Improper Encoding or Escaping of Output
Insufficient output encoding is at the root of most injection-based attacks. An attacker can modify the commands that you intend to send to other components, possibly leading to a complete compromise of your application – not to mention exposing the other components to exploits that the attacker would not be able to launch directly. When your program generates outputs to other components in the form of structured messages such as queries or requests, be sure to separate control information and metadata from the actual data.

3. Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
If attackers can influence the SQL that you send to your database, they can modify the queries to steal, corrupt, or otherwise change your underlying data. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security.

4. Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
Cross-site scripting (XSS) is a result of combining the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you’re not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you — because, after all, it did come from you! Suddenly, your web site is serving code that you didn’t write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man.

5. Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
Your software acts as a bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, and you allow untrusted inputs to be fed into the command string, you are inviting attackers into your operating system.

Source : codinghorror.com

Leave a Comment

Your email address will not be published. Required fields are marked *