Are Pro Web Developers somewhat under-informed?
Posted on June 11th, 2007 by kushal
I was over at a Microsoft User Group conference the other day and was pretty amazed at one of the presentations. It was entitled “Hacking websites for fun and profit”
It was about (what seemed to me to be) pretty basic stuff. Things like:
- Don’t rely on javascript based client side validation.
- Don’t rely on HTML based client side validation (things like the MAXLENGTH attribute on texboxes)
- Avoid XSS attacks by HTMLEncoding your data when displaying them – especially if its user-entered.
- Escape data that you will be concatenating in an SQL statement to avoid SQL injection attacks.
- When it comes to data that is your own (e.g. price of a certain item in a shopping cart app) as opposed to data entered by the user (e.g. how many items the user wished to buy) don’t rely on form based or Querystring based data as these can be changed just by using a tool like Fiddler, or just saving the HTML locally and editing it.
- Don’t rely on HTTP headers like Referer (sic) for any kind of validation.
I was hoping for somewhat more from the presentation. In fact, it would be fair to say I was quite disappointed. Almost Everything he said seemed pretty basic to me. I mean anyone other than an absolute script/html kiddie should be making any of those mistakes.
Are paid professionals actually stupid enough to make such basic mistakes that it would warrant a whole presentation just on these fundamentals? (He was saying how he’s been making several presentations on the same subject all over the place. And this was a conference arranged for professionals .. certainly not a bunch of n00bs.) Most of the audience seemed impressed. Well certainly not as unimpressed as I was.
So what’s going on?
I don’t mean to take anything away from the presenter Barry Dorrans, though.
EDIT:
BTW, if that sounds like I was saying that the presentation was ineffectual or a waste of time or something like that, its mostly because my writing skills are about as well developed as Craig Newmark’s aesthetic talent.
I was merely amazed that so many folks exist who make their living writing applications for the web, and yet don’t know this stuff. But, because that is a sad fact, (and also because not everyone is
June 12th, 2007 at 8:15 am
Sorry you didn’t get anything out of it.
The problem with going into more detail is it’s hard to give general advice that applies to everything, the more specific you get the less it applies to the majority of the audience. I could cover using “hacking” tools, but I honestly don’t feel that would be useful, without understanding why the problems occur.
Yes it was basic, but the mistakes are still made on a regular basis. Sure most people know about SQL Injection these days, but most people also believe that stored procedures solve that problem, which in some cases isn’t true.
Just because you’re a professional in one area, say database work, or middle tier doesn’t mean you know the problems of developing for the front end, or the web, hence the presentation, and the examples I gave (the MS store being a good one; you’d think MS would get their internal systems right, being professional et al.)
What would you rather have seen? What would have made it a useful presentation for you? Was the humour that bad? (It’s an interesting talk to give because people don’t ask questions that often until after when they can have a private word; hence the attempts at humour in order to get some sort of reaction; but yes, my humour is err, rather strange at times)
Feel free to drop me a mail, obviously I’m disappointed you felt the talk had no worth.
June 12th, 2007 at 10:58 am
(Wow, my first blog post & I already seemed to have irked someone. I do find Internet based bravado amusing and entertaining sometimes, but only when I am not the one engaging in it. Time to mend some bridges.)
Hi Barry, and thanks for your comment. And sorry if I sounded like I was neck deep in misguided geek pride of some sort.
As for your presentation, I guess if it was meant to be basic it could be called something like “Top 5 things every web developer should know” (That would probably be a big hit too considering what flies on sites like delicious or digg nowadays). That would also have been a measured, constructive comment on my part – something that I obviously have to take classes in.
Point taken also about professionals in one area as opposed to others etc. I guess I often get the feeling that folks who dont know about web sites and developing for the internet somehow think of web development as some sort of a spare-time/passtime kind of thing. Simlilar to how ‘experienced’ developers felt about Javascript before people like Douglas Crockford came along. This was really a rant directed at this “its easy” kind of attitude.
As for the sense of humour comment – that was a personal jab & I take it back. Different people find different things funny and even that varies depending on one’s mood or the presence/lack of nicotine in one’s bloodstream. Even within the conference hall there were many people who were constantly giggling (and yes, it was more a “with” sort of giggle as opposed to the “at” kind ) – so I am obviously not with the others here.
June 12th, 2007 at 11:12 am
Oh I don’t mind being slagged off; it’s more useful than praise. Normally we (as presenters) just get scores back, nothing about what would be more useful to you, just anonymous 1 ratings *grin(+*; hence my honest question. What would you like to have seen? What would have been useful to you? (If only because I’d enjoy doing a more indepth presentation on some things if it helps)
Your point is well taken about javascript, JSON scares me
(if only because aggregation object creation is just not how I normally do things)
June 13th, 2007 at 12:28 am
You know, I actually didn’t fill out a feedback form
(I intended to, but they’d run out and said they’d have more later but I had to leave by then)
Anyway, even if I did, mine probably wouldn’t be anonymous and would certainly have had a higher rating than 1. (seriously)
As for what I would like to have seen ..
Well first, the XSS/SQL injection attack details and the other stuff you mentioned are important and are certainly worth more than just a fleeting mention.
I guess in addition, I would expect something like – How do you prepare your website to prevent D/DOS attacks. Or How to accept PIN numbers (for logging in, if you’re a bank for instance) but minimising the risk of exposing your PIN to a keylogger. (Maybe by displaying an online numeric keypad for example – with randomly positioned keys you click with your mouse)
Stuff like that I suppose.
Oh and the Javascript thing – I’m not sure if this is what you meant, but you actually can “do” inheritance, hide data etc. (although, admittedly, they don’t make it easy for you)
But yeah dealing with a prototype based language can be bit odd & you often you have to jump through hoops to get something you would take for granted in normal languages.
But its still a pretty interesting how Javascript is perceived now as opposed to a couple of years ago … subject for a my next blog post maybe
June 13th, 2007 at 12:40 pm
Hmm DDOS is probably infrastructure more than development. PIN numbers? Didn’t you attend the CardSpace presentation? :p
I shall have a think though, maybe an hour on “The internet is evil; some tips to keep your website alive?”
I regret now not covering event validation; where you can send fake postbacks to a page and trigger events on hidden controls. Much amusement for that one