Imagine your school’s online portal. Students log in with their ID and password to check results, upload homework, or message teachers.

Now picture a clever hacker lurking outside. They don’t attack the school building physically — instead, they try to “sneak” into the portal by tricking the system.

That’s the world of web security issues: weaknesses in websites that attackers exploit. If developers don’t protect their apps, attackers can steal data, hijack accounts, or even bring down the entire system.

🔑 Common Web Security Issues

1. Cross-Site Scripting (XSS)

  • What it is: An attacker injects malicious JavaScript into a web page.

  • Example: Imagine you type a comment on a school forum:

    <script>alert("Hacked!")</script>

    If the site doesn’t sanitize input, this script will run for every user who views the page.

  • Danger: Stealing cookies, session tokens, or tricking users.
  • Fix: Always escape/sanitize user input. Use libraries or frameworks that handle this automatically.

2. Cross-Site Request Forgery (CSRF)

  • What it is: Tricking a logged-in user into performing an action they didn’t intend.
  • Example: A student is logged into the school portal. They click a disguised link in an email that secretly tells the portal: “Change this student’s password.”
  • Danger: Account hijacking.
  • Fix: Use CSRF tokens — unique random keys in forms that attackers can’t guess.

3. SQL Injection

  • What it is: Inserting malicious SQL code into a query.

  • Example: Login form asks for a username:

    SELECT * FROM users WHERE username = 'admin' AND password = 'password';

    A hacker types:

    ' OR '1'='1

    This tricks the system into logging them in without a real password.

  • Danger: Full database access — stolen grades, financial records, etc.
  • Fix: Use parameterized queries (prepared statements), never trust raw input.

4. Insecure Password Storage

  • Bad Practice: Storing passwords in plain text.
  • What happens: If hackers breach the database, every student’s password is exposed.
  • Fix: Store passwords using hashing (e.g., SHA-256, bcrypt) with salts.

5. Man-in-the-Middle (MITM) Attacks

  • What it is: A hacker intercepts communication between the user and the server.
  • Example: On public Wi-Fi, someone can spy on data sent if the site doesn’t use HTTPS.
  • Danger: Stolen logins, financial details.
  • Fix: Always use HTTPS with SSL/TLS certificates.

6. Clickjacking

  • What it is: Tricking users into clicking hidden buttons.
  • Example: A fake “Play Video” button actually clicks “Transfer Money.”
  • Fix: Use frame-busting headers like X-Frame-Options to stop malicious embedding.

7. Session Hijacking

  • What it is: Stealing a user’s session token (the “ticket” that says you’re logged in).
  • Danger: Hacker takes over your account without needing your password.
  • Fix: Use secure cookies, short session expiry, and HTTPS.

8. Weak Authentication

  • Problem: Systems that allow weak passwords like 12345 or password.
  • Fix: Enforce strong password policies, add 2FA (two-factor authentication).

🏗️ Best Practices to Reduce Security Issues

  1. Validate and sanitize all inputs.
  2. Use HTTPS everywhere.
  3. Keep software and dependencies updated.
  4. Use strong authentication (2FA, password hashing).
  5. Implement proper access control (students can’t see teachers’ data).
  6. Regularly test for vulnerabilities (penetration testing).

✅ Summary in Plain Words

  • Security issues happen when attackers exploit weak points in a web app.
  • Big risks: XSS, CSRF, SQL Injection, weak password storage, MITM, session hijacking, clickjacking.
  • Developers must always think: “What if a bad actor tries to trick this input or connection?”
  • The solution is not one magic tool, but a combination of safe coding practices, encryption, and testing.

📝 Review – Fill in the Gaps

  1. _______ is when attackers inject malicious JavaScript into web pages.
  2. CSRF tricks a logged-in user into performing an unwanted _______.
  3. SQL Injection happens when untrusted input is added into a _______ statement.
  4. Passwords should be stored as _______ instead of plain text.
  5. A man-in-the-middle attack can be prevented using _______.
  6. Clickjacking tricks users into clicking hidden _______.
  7. Stealing session tokens is known as session _______.
  8. Weak authentication happens when users are allowed to set _______ passwords.
  9. A secure website should always use the protocol _______ instead of HTTP.
  10. Regular _______ testing helps identify and fix vulnerabilities.
<
Previous Post
🔐 JavaScript Web Cryptography API: Learn How Hashing a Password Works
>
Blog Archive
Archive of all previous blog posts