As the virtual landscape expands, cyber threats are growing faster than ever. For developers, security is no longer optional. In the past, the focus was on the functionalities and features of the application, with security often overlooked. Many applications were standalone or built on weak, insecure frameworks because, frankly, security wasn’t a primary concern. But now, everything has changed. Today, most applications are cloud-based, and even standalone applications frequently rely on web APIs. This means that web security is something we can no longer ignore.

In this blog, we’ll explore various best practices to help keep your applications safe. From understanding common vulnerabilities to implementing secure coding techniques, we’ll provide actionable insights and tips to enhance the security of your software. Whether you’re a seasoned developer or just starting out, these practices will help you build robust and secure applications from the ground up.

The Importance of Security in Development

Why it matters

Even with a multitude of features and a flawless user experience, a single security breach can bring everything crashing down. An attack could not only damage the reputation of your application but also lead to severe legal consequences if sensitive data is compromised. The impact can be far-reaching, affecting not just your product, but also the trust of your users.

Key actions for developers

It all begins with core development and a solid understanding of secure coding practices. Implementing features without considering potential security threats can introduce numerous vulnerabilities into your product. Even if your software development process includes extensive penetration testing and security scans, it’s always better to prevent security issues from being introduced in the first place. This is only possible if developers are well-versed in secure coding practices and actively apply them throughout the development lifecycle.

Input sanitization

Client-server interactions are fundamental for every application. Developers often depend on input from clients, whether its data sent through URL parameters, form submissions (request body), HTTP headers, or even cookies. However, this comes with significant risks. If not handled correctly, untrusted client input can open the door for attackers to exploit vulnerabilities.

For example, improperly sanitized input can lead to vulnerabilities like cross-site scripting (XSS). A malicious script injected into input fields can steal sensitive user data, such as cookies, when displayed without proper encoding.

XSS injection point on a search bar
XSS injection point on a search bar

Imagine a scenario where a developer pushes code to production after testing it extensively. The site goes live without any noticeable issues—until a threat actor identifies a potential XSS vulnerability in the functionality.

The attacker tests the vulnerability using a simple payload like this: <img src onerror=”alert(document.cookie)”>. As expected, the attacker successfully injects malicious JavaScript into the input field, leading to unintended execution.

XSS exploits with cookie disclosure
XSS exploits with cookie disclosure

To escalate the attack, the attacker modifies the payload to include JavaScript that sends cookies to their own server. By sharing a malicious URL with logged-in users, the attacker compromises their cookies if they open the link in an authenticated state. This opens the door to account takeover and other severe security risks.

Let’s analyze the root cause of this issue:
In this scenario, the application’s search functionality takes input from users and directly passes it to the view without any validation or sanitization.

XSS vulnerable endpoint code
XSS vulnerable endpoint code

On the view page, this input is rendered using @Html.Raw, displaying it as-is without encoding.

XSS exploit view file code
XSS exploit view file code

The developer made two mistakes here:

  1. Failing to sanitize the input and blindly trusting client-provided data.
  2. Not using proper encoding to safely render the data back to the user.

This example illustrates how even a small oversight in code can lead to severe vulnerabilities, compromising user accounts and trust. Therefore, it is essential to adopt secure coding practices, such as input validation, sanitization, and output encoding, to protect applications and user data.

Note: Unsanitized input can lead to more than just XSS; it can also result in a wide range of attacks depending on how the input is handled by the endpoint. Examples include SSRF, SSTI, SQLI, path traversal, etc.

Trusting server response

Consider an OTP verification feature where, after a user logs in, they must verify their OTP to access the dashboard page. The implementation involves sending a POST request to the server when the user inputs the OTP. The server checks the OTP against the database and responds with either a success message if the OTP is correct or an “Invalid OTP” response if it is not.

Otp verification vulnerable code sample
Otp verification vulnerable code sample

Upon receiving the server’s response, the client takes appropriate action: navigating to the dashboard if the OTP is valid or displaying an error message if the OTP is invalid.

Client side script to validate otp verification code
Client side script to validate otp verification code

While this design may appear secure, it introduces a vulnerability to response manipulation forgery.

The attacker’s perspective:

From a developer’s standpoint, altering server responses may seem unlikely for a legitimate user. However, attackers can intercept and manipulate server responses using tools specifically designed for this purpose. This manipulation can bypass intended security checks.

Example scenario:
In this OTP verification process, suppose the server only accepts the OTP “123456” as valid. Any other OTP results in an “Invalid OTP” message. When an incorrect OTP is entered, the system correctly displays the error message.

otp verification
otp verification
otp verification actual result
otp verification actual result

However, an attacker can intercept the server’s response using a tool, modify the response to indicate success, and send it back to the client.

OTP verification server response in intruder mode
OTP verification server response in intruder mode
OTP verification modified server response
OTP verification modified server response

This manipulation allows the attacker to bypass the OTP verification process entirely, resulting in a weak authentication mechanism.

Key takeaways for developers:

Developers must recognize that any data exchanged between the client and server can potentially be intercepted and altered by an attacker. Secure implementations require careful attention to prevent such vulnerabilities.

Best practices to mitigate this risk:

  1. Avoid relying on server responses (e.g., “true” or “false”) to determine the next step in the client-side process, as these responses can be easily manipulated.
  2. Instead, design the server to directly handle the transition to the next process or page upon successful OTP validation. For example, the server should serve the dashboard page only after confirming a valid OTP, rather than returning a status for the client to act upon.
By incorporating such secure coding practices, developers can prevent response manipulation attacks and strengthen the overall authentication mechanism.

Trusting client input

While input sanitization is critical in preventing attacks like XSS, vulnerabilities can also arise from how input is obtained and used to achieve specific functionalities. Let’s explore an example involving a two-factor authentication (2FA) process.

In this case, users first complete a general login, proceed to a 2FA page, and, upon entering a valid 2FA code, receive a cookie that authenticates them.

Verify 2fa process endpoint code
Verify 2fa process endpoint code

Middleware is implemented to ensure users cannot bypass the 2FA page by navigating directly to the dashboard or other authenticated pages, redirecting them back to the 2FA page if necessary.

2Fa redirect logic code
2Fa redirect logic code

At first glance, this setup appears secure. However, the vulnerability lies in how the input for the authentication check is handled.

The attacker’s perspective:
Let’s examine the cookie generated after completing 2FA.

2FA client side cookie analyzing
2FA client side cookie analyzing

If the cookie value is static—such as being a base64-encoded string containing the username and a “true” value—this creates a significant security risk. An attacker could decode or copy this static value and reuse it later to bypass the 2FA process entirely.

If an attacker manages to obtain the victim’s password, this static cookie value enables them to circumvent the 2FA, nullifying the additional layer of security.

Best practices to mitigate this risk:
To strengthen 2FA implementation and secure cookie generation:

  1. Avoid static values: Ensure cookies are generated dynamically for each session and user.
  2. Use strong encryption: Replace basic encoding methods like base64 with robust encryption algorithms to protect cookie data.
  3. Incorporate unique identifiers: Include GUIDs (globally unique identifiers) or other strong keys in the cookie value to make them unpredictable and non-reusable.
  4. Set secure cookie attributes: Use attributes such as Secure, HttpOnly, and SameSite to limit cookie exposure and mitigate risks of theft..

By adopting these practices, even if an attacker intercepts or decodes a cookie, they will be unable to exploit it without access to the dynamic components or encryption keys, thereby significantly reducing the risk of 2FA bypass.

Sensitive information leaks

Sensitive data leaks often occur inadvertently due to common mistakes made during development. Attackers don’t always require complex techniques to exploit such vulnerabilities. Let’s explore a frequent scenario: sensitive information included in URLs.

Sensitive information in URLs

Using URLs to transmit user input to the server is a common practice. While this approach might seem harmless, it becomes a significant security concern when sensitive data is embedded in the URL.

Consider an example of an online banking portal. Users can view account details and perform transactions, and for convenience, the system allows users to share specific account pages via links. To achieve this, account details and transaction data are passed directly as query parameters in the URL.

https://www.bankportal.com/account-details?accountNumber=123456789&balance=5000&ssn=987-65-4321

Why is this a problem?
At first glance, this design appears efficient and user-friendly. However, it introduces severe security risks. To understand the vulnerabilities, let’s examine how URLs are processed:

  1. Browser History and Cache: URLs are stored in the user’s browser history or cache, making them accessible to anyone with access to the browser.
  2. Network Transmission: URLs pass through routers, ISPs, VPNs, or DNS servers on their way to the target server. Each step creates a potential interception point.
  3. Server Logs: URLs are typically logged on servers for record-keeping, exposing sensitive data to anyone with log access.
  4. Accidental Sharing: URLs may be inadvertently shared with unauthorized individuals via messages or emails.

Potential Risks

  1. Man-in-the-middle (MITM) attacks: An attacker intercepting the request can retrieve sensitive information.
  2. DNS spoofing: An attacker can reroute requests to malicious destinations.
  3. Data exposure to third parties: VPN providers or network administrators may gain access to sensitive data.

Compliance Concerns
These practices can violate security regulations like GDPR, HIPAA, or PCI DSS, resulting in significant fines and reputational damage.

Mitigation Strategies
To prevent sensitive data leaks through URLs:

  1. Avoid putting sensitive data in URLs: Never include account details, transaction IDs, or personal information as query parameters.
  2. Use POST requests: For transmitting sensitive data, use POST methods instead of GET. This ensures data isn’t included in the URL.
  3. Encrypt data: Use secure protocols like HTTPS to encrypt all transmitted data.
  4. Review logs and permissions: Ensure server logs are secured and accessible only to authorized personnel.
  5. Implement security headers: Configure headers like Cache-Control to prevent sensitive data from being cached in browsers.

By addressing these issues and following secure coding practices, you can safeguard sensitive information and ensure compliance with regulatory requirements.

Development comments not removed

Leaving development comments in production code is a common oversight. While comments are helpful during development for clarity and communication, they can pose significant risks if they inadvertently reveal sensitive information.

Information disclosure in client side scripts
Information disclosure in client side scripts

Understanding the Issue
Consider this scenario: While working on a feature, a developer adds comments containing sensitive details such as API keys, passwords, or configuration settings. Once the code moves to production, these comments remain, exposing critical information unintentionally.

From a developer’s perspective, it might seem harmless; they’re thinking, “If it’s found later, we can just remove it, and no one will notice.” However, the reality is more complex.

The Risk

  1. Permanent disclosure: If web scrapers or caching services like the Wayback Machine archive your site, any sensitive information in comments can persist indefinitely, even after it’s removed from your production code.
  2. Third-party access: Malicious actors monitoring codebases or scraping sites may exploit exposed data for unauthorized access or attacks.
  3. Compliance violations: Leaked sensitive information can result in breaches of compliance regulations such as GDPR or HIPAA, leading to hefty penalties.

Best practices to prevent such issues

  • Code review: Regularly review code for any comments or leftover sensitive information before deployment.
  • Automated tools: Use tools like GitLeaks or similar token disclosure detection software to identify and prevent exposure of sensitive information in code.
  • Environment variables: Never hard-code sensitive information. Instead, use environment variables and secure configuration management.
  • Educate your team: Foster awareness among developers about the risks of leaving sensitive comments in code.
  • Test builds thoroughly: Ensure all preproduction environments are scrutinized for unnecessary comments or hard-coded data.

    • Final reminder: Exercise caution about what goes into production. Once sensitive information is out, it can spread beyond your control, so proactive measures are essential to safeguard your codebase and maintain security.

    Conclusion

    As you work on securing your application, remember that it’s not just about avoiding common mistakes; it’s about understanding the underlying risks and being proactive. By addressing these security issues thoughtfully, you’re not only safeguarding your users but also reinforcing the trust they place in your app. That’s what really sets your application apart. Stay curious, keep learning, and always look for new ways to strengthen your security, because in the ever-evolving world of tech, there’s always something more to explore. If you have any thoughts or questions, feel free to comment below or reach out—I’d love to hear from you!

    Author Jackson Paul T
    Jackson Paul T
    Product Manager
    Jackson Paul T is a product manager with over 5 years of experience in software development, specializing in application security. An expert in .NET and C#, he excels in managing the entire application security lifecycle, ensuring that products meet the highest standards of safety and reliability. Jackson’s proactive approach and dedication to security contribute significantly to the success of his organization.