In my demos, I often show the most basic web applications vulnerabilities. For instance, I show a SQL injection in a very badly designed web login interface. I use this particular example because I think it’s relatively easy for non-security and less technical people to understand. The thing is, web applications and SQL injection have both evolved well beyond this old-school demo. I frankly don’t expect many modern web sites to suffer the very basic coding flaws I exploit in my demo. Yesterday, my assumption was proven wrong.
Recently, Mozilla received a complaint from a web site owner about Firefox’s “notice” of an insecure site. The complaint itself suggests the author does know much about security simply because he doesn’t understand the relevance of using HTTP, rather than HTTPS, for his site’s login page. However, when Redditors noticed this complaint, and started probing the web site in question, they found the site even less secure than expected. Frankly, it suffers from such basic flaws that some think the entire incident may be a bad joke. Watch the Daily Byte video below to learn more about this insecure site. If you’re a web developer, also check out the OWASP link below to learn how to avoid the same mistakes.
Episode Runtime: 5:33
Direct YouTube Link: https://www.youtube.com/watch?v=FRml8n9cezY
EPISODE REFERENCES:
- Firefox bug report turns into web insecurity drama – Ars Technica
- Reddit post on this insecure website – Reddit
- Tweet highlighting the now hidden Mozilla bug submission – Twitter
- One of my older videos illustrating SQL injection – YouTube
- Learn about web security with the Open Web Application Security Project – OWASP