Are Pro Web Developers somewhat under-informed?

Posted on June 11th, 2007 by kushal

I was over at a Microsoft User Group conference the other day and was pretty amazed at one of the presentations. It was entitled “Hacking websites for fun and profit”
It was about (what seemed to me to be) pretty basic stuff. Things like:

  • Don’t rely on javascript based client side validation.
  • Don’t rely on HTML based client side validation (things like the MAXLENGTH attribute on texboxes)
  • Avoid XSS attacks by HTMLEncoding your data when displaying them – especially if its user-entered.
  • Escape data that you will be concatenating in an SQL statement to avoid SQL injection attacks.
  • When it comes to data that is your own (e.g. price of a certain item in a shopping cart app) as opposed to data entered by the user (e.g. how many items the user wished to buy) don’t rely on form based or Querystring based data as these can be changed just by using a tool like Fiddler, or just saving the HTML locally and editing it.
  • Don’t rely on HTTP headers like Referer (sic) for any kind of validation.

I was hoping for somewhat more from the presentation. In fact, it would be fair to say I was quite disappointed. Almost Everything he said seemed pretty basic to me. I mean anyone other than an absolute script/html kiddie should be making any of those mistakes.
Are paid professionals actually stupid enough to make such basic mistakes that it would warrant a whole presentation just on these fundamentals? (He was saying how he’s been making several presentations on the same subject all over the place. And this was a conference arranged for professionals .. certainly not a bunch of n00bs.) Most of the audience seemed impressed. Well certainly not as unimpressed as I was.
So what’s going on?

I don’t mean to take anything away from the presenter Barry Dorrans, though.

EDIT:
BTW, if that sounds like I was saying that the presentation was ineffectual or a waste of time or something like that, its mostly because my writing skills are about as well developed as Craig Newmark’s aesthetic talent.
I was merely amazed that so many folks exist who make their living writing applications for the web, and yet don’t know this stuff. But, because that is a sad fact, (and also because not everyone is amassing a vast fortune by writing web apps … yet) people ought to be paying more attention to what guys like Barry have to say.

Posted in Security | 5 Comments »

Archives

Categories

Blogroll