Web Security Fundamentals: Secure Coding, SQL Injection, XSS, and File Management

Web security refers to the methods and technologies used to protect web applications, servers, and browsers from various attacks and malicious activities, becoming increasingly critical as more business moves online.

Key aspects of web security include authentication and authorization, input validation, prevention of cross‑site scripting (XSS), and protection against cross‑site request forgery (CSRF).

1. What is Secure Coding? Secure coding standards define requirements to ensure code quality, reusability, and safety throughout development, testing, and maintenance, covering authentication, authorization, input validation, output encoding, error handling, and secure configuration management.

2. Secure Coding – Input Validation All client‑side data (URLs, parameters, headers, scripts) is untrusted and must be validated using:

Whitelist: accept only data that matches allowed patterns.

Blacklist: block known malicious characters (e.g., null byte %00, line breaks %0d/%0a, path traversal ../).

Normalization/Legal Correction: cleanse data by removing or encoding unsafe characters before processing.

SQL Injection Prevention: use parameterized queries instead of string concatenation.

Access Control: ensure submitted data aligns with the user's identity to prevent privilege escalation.

3. Secure Coding – Output Validation Properly encode all output based on the target context (HTML entity encoding, URL encoding, etc.), sanitize sensitive information (e.g., credit card numbers), and consider using a unified JSON response format for client‑server data exchange.

4. SQL Injection SQL injection occurs when attackers inject crafted SQL statements into web forms or requests to manipulate database queries. The attack flow includes determining injection type (string or numeric), guessing field counts, locating injection points, extracting database schema, and downloading data. Detection methods involve testing integer and string parameters with payloads such as a trailing single quote (') or logical conditions (e.g., AND 1=1 vs. AND 1=2 ). Special techniques include case‑mixing and ASCII encoding to bypass filters. Example payloads and screenshots illustrate the process.

5. XSS Attacks XSS (cross‑site scripting) allows malicious scripts to execute in a victim's browser due to insufficient input filtering. Harm includes credential theft, session hijacking, data leakage, site defacement, and spam distribution. XSS types:

Reflected XSS – payload reflected in the response immediately.

Stored XSS – payload stored on the server (e.g., in comments, forums) and served to multiple users.

DOM‑based XSS – script manipulation occurs entirely on the client side without server interaction.

Detection and defense strategies:

Manual testing by injecting characters like < , > , ( ) and observing output.

Automated tools such as Acunetix, Burp Suite, XSSer, XSSF, and BeEF.

Defensive measures: blacklist HTML tags, implement Content Security Policy (CSP), use frameworks with automatic encoding (e.g., OWASP ESAPI, React, Jsoup), encode special characters in responses, apply context‑aware encoding (e.g., htmlspecialchars in PHP), and enable HttpOnly cookies.

6. File Management – Upload/Download

Upload – Verify user identity, enforce a whitelist of allowed file types and sizes, store files outside executable directories, rename files randomly, and do not expose the storage path to clients.

Download – Verify user identity, serve files as binary streams, avoid direct file access, and prevent directory traversal attacks (e.g., disallow patterns like ../../ ).

The next article will cover logical security and data security.