In my demos, I often show the most basic web applications vulnerabilities . For instance, I show a SQL injection in a very badly designed web login interface. I usethis particular example because I think it’s relatively easy for non-security and less technical people to understand. The thing is, web applications and SQL injection have both evolved well beyond this old-school demo. I frankly don’t expect many modern web sites to suffer the very basic coding flaws I exploit in my demo. Yesterday, my assumption was proven wrong.
Recently, Mozilla received a complaint from a web site owner about Firefox’s “notice” of an insecure site. The complaint itself suggests the author does know much about security simply because he doesn’t understand the relevance of using HTTP, rather than HTTPS, for his site’s login page. However, when Redditors noticed this complaint, and started probing the web site in question, they found the site even less secure than expected. Frankly, it suffers from such basic flaws that some think the entire incident may be a bad joke. Watch the Daily Byte video below to learn more about this insecure site. If you’re a web developer, also check out the OWASP link below to learn how to avoid the samemistakes.
Episode Runtime: 5:33
Direct YouTube Link: https://www.youtube.com/watch?v=FRml8n9cezY
EPISODE REFERENCES:Firefox bug report turns into web insecurity drama Ars Technica Reddit post on this insecure website Reddit Tweet highlighting the now hidden Mozilla bug submission Twitter One of my older videos illustrating SQL injection YouTube Learn about web security with the Open Web Application Security Project OWASP
Corey Nachreiner, CISSP ( @SecAdept )