Imagine your schoolā€™s online portal. Students log in with their ID and password to check results, upload homework, or message teachers.

Now picture a clever hacker lurking outside. They donā€™t attack the school building physically ā€” instead, they try to ā€œsneakā€ into the portal by tricking the system.

Thatā€™s the world of web security issues: weaknesses in websites that attackers exploit. If developers donā€™t protect their apps, attackers can steal data, hijack accounts, or even bring down the entire system.

šŸ”‘ Common Web Security Issues

1. Cross-Site Scripting (XSS)

  • What it is: An attacker injects malicious JavaScript into a web page.

  • Example: Imagine you type a comment on a school forum:

    <script>alert("Hacked!")</script>

    If the site doesnā€™t sanitize input, this script will run for every user who views the page.

  • Danger: Stealing cookies, session tokens, or tricking users.
  • Fix: Always escape/sanitize user input. Use libraries or frameworks that handle this automatically.

2. Cross-Site Request Forgery (CSRF)

  • What it is: Tricking a logged-in user into performing an action they didnā€™t intend.
  • Example: A student is logged into the school portal. They click a disguised link in an email that secretly tells the portal: ā€œChange this studentā€™s password.ā€
  • Danger: Account hijacking.
  • Fix: Use CSRF tokens ā€” unique random keys in forms that attackers canā€™t guess.

3. SQL Injection

  • What it is: Inserting malicious SQL code into a query.

  • Example: Login form asks for a username:

    SELECT * FROM users WHERE username = 'admin' AND password = 'password';

    A hacker types:

    ' OR '1'='1

    This tricks the system into logging them in without a real password.

  • Danger: Full database access ā€” stolen grades, financial records, etc.
  • Fix: Use parameterized queries (prepared statements), never trust raw input.

4. Insecure Password Storage

  • Bad Practice: Storing passwords in plain text.
  • What happens: If hackers breach the database, every studentā€™s password is exposed.
  • Fix: Store passwords using hashing (e.g., SHA-256, bcrypt) with salts.

5. Man-in-the-Middle (MITM) Attacks

  • What it is: A hacker intercepts communication between the user and the server.
  • Example: On public Wi-Fi, someone can spy on data sent if the site doesnā€™t use HTTPS.
  • Danger: Stolen logins, financial details.
  • Fix: Always use HTTPS with SSL/TLS certificates.

6. Clickjacking

  • What it is: Tricking users into clicking hidden buttons.
  • Example: A fake ā€œPlay Videoā€ button actually clicks ā€œTransfer Money.ā€
  • Fix: Use frame-busting headers like X-Frame-Options to stop malicious embedding.

7. Session Hijacking

  • What it is: Stealing a userā€™s session token (the ā€œticketā€ that says youā€™re logged in).
  • Danger: Hacker takes over your account without needing your password.
  • Fix: Use secure cookies, short session expiry, and HTTPS.

8. Weak Authentication

  • Problem: Systems that allow weak passwords like 12345 or password.
  • Fix: Enforce strong password policies, add 2FA (two-factor authentication).

šŸ—ļø Best Practices to Reduce Security Issues

  1. Validate and sanitize all inputs.
  2. Use HTTPS everywhere.
  3. Keep software and dependencies updated.
  4. Use strong authentication (2FA, password hashing).
  5. Implement proper access control (students canā€™t see teachersā€™ data).
  6. Regularly test for vulnerabilities (penetration testing).

āœ… Summary in Plain Words

  • Security issues happen when attackers exploit weak points in a web app.
  • Big risks: XSS, CSRF, SQL Injection, weak password storage, MITM, session hijacking, clickjacking.
  • Developers must always think: ā€œWhat if a bad actor tries to trick this input or connection?ā€
  • The solution is not one magic tool, but a combination of safe coding practices, encryption, and testing.

šŸ“ Review ā€“ Fill in the Gaps

  1. _______ is when attackers inject malicious JavaScript into web pages.
  2. CSRF tricks a logged-in user into performing an unwanted _______.
  3. SQL Injection happens when untrusted input is added into a _______ statement.
  4. Passwords should be stored as _______ instead of plain text.
  5. A man-in-the-middle attack can be prevented using _______.
  6. Clickjacking tricks users into clicking hidden _______.
  7. Stealing session tokens is known as session _______.
  8. Weak authentication happens when users are allowed to set _______ passwords.
  9. A secure website should always use the protocol _______ instead of HTTP.
  10. Regular _______ testing helps identify and fix vulnerabilities.
<
Previous Post
šŸ” JavaScript Web Cryptography API: Learn How Hashing a Password Works
>
Next Post
šŸŽ‰ CSS Made Simple: A Beginnerā€™s Guide to Styling the Web With Project