Importance in Practicing Secure Coding
How I Started My Journey
I started learning about programming since I was in grade 8 and ethical hacking since I was in grade 11. As I have a passion in ethical hacking, I have looked into websites through their publicly available interfaces to see how I would be able to alter their functionality.
With the corona epidemic, all my A/L classes switched from physical to online. Right there, I was given the opportunity to try to hack into those class websites.
I started looking one by one. In most websites I found ways to access class materials which I should not have access to, to watch any teaching videos hosted on those sites, to access student private information contained in those sites.
Even though I did not use those information or bugs I found in any illegal way, I enjoyed myself finding those bugs. I reported some bugs to relavent authorities.
How Most of Those Bugs Came to Exists
Most of the times, such bugs are caused due to programmers’ mistakes. Some are due to logical flaws in their codes.
As a programmer, sometimes you may only think about the expected flow of the program. By crafting arbitary requests to the relavent endpoints, hackers are capable of getting sensitive data if those endpoints are not properly handled.
For a simple example, think about a website where a user can log into their account and access some video after paying for it.
Video playing is done by some secure online streaming services. Think there is a endpoint at website_url/class/video. By sending a POST request to this endpoint with required video id, the some authentications need to play video is generated in the server and sent to the requested user. If the server code send those details without checking whether the user making the request does have the permission to access the video, those scenarios may lead to security issues.
In normal code flaw, although requests to that endpoint with video id is only generated by a valid users who have paid for those videos, people with some deep knowledge about how communition between servers and clinets work, can manual craft such kind of requests by programming or with softwares like burpsuite.
In my opinion backend programmers should learn about breaking code so they can write code unbreakable.
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
Bruce Schneier
