Where the Threats Come From

The concept of security implies the presence of an enemy we're protecting ourselves against. Table 15-1 summarizes the most common types of Web attacks.

Table 15-1: Common Web Attacks
Attack	Description
Cross-site scripting (XSS)	Untrusted user input is echoed to the page.
Denial of service (DoS)	The attacker floods the network with fake requests, overloading the system and blocking regular traffic.
Eavesdropping	The attacker uses a sniffer to read unencrypted network packets as they are transported on the network.
Hidden-field tampering	The attacker compromises unchecked (and trusted) hidden fields stuffed with sensitive data.
One-click	Malicious HTTP posts are sent via script.
Session hijacking	The attacker guesses or steals a valid session ID and connects over another user's session.
SQL injection	The attacker inserts malicious input that the code blissfully concatenates to form dangerous SQL commands.

The bottom line is that whenever you insert any sort of user input into the browser's markup, you potentially expose yourself to a code-injection attack (any variations of SQL injection and XSS). In addition, sensitive data should never be sent across the wire (let alone as clear text) and must be stored safely on the server.

If there's a way to write a bulletproof and tamper-resistant application, it can only consist of the combination of the following measures:

Coding practices data validation, type and buffer length checking, and anti-tampering measures
Data access strategies using roles to ensure the weakest possible account, and using stored procedures or at least parameterized commands
Effective storage and administration no sending of critical data down to the client, using hash codes to detect manipulation, authenticating users and protecting identities, and applying rigorous policies for passwords

As you can see, a secure application can result only from the combined efforts of developers, architects, and administrators. Don't imagine that you can get it right otherwise.