Coding standards and guidelines exist for every type of language that you can use while building applications, programs and websites. Standards mostly exist for reasons of compatibility, debugging, maintainability, teamworking, product-quality, (webbrowser-)rendering of webpages, security etc.: not following guidelines often result in vulnerabilities, bad user-experience, accidents, financial losses and many other unpleasant surprises.
Some examples are: using understandable variable-names, indentation, error-return values, input-validation, well-documented source-code (the use of remarks), small functions and clear meta-information about the author, date-created etc.
Next to all the guidelines, the developer himself also benefits by writing standard source-code: it makes it easier for him to review his own work, find bugs when they appear and reuse his own source-code for other projects.
A webdeveloper has access to several online code-validators and other tools that supply him with information about his work and how to upgrade the quality of it. Not using these tools and thus not following the guidelines often result in bad search-engine results and negative user-experience.
Code injection is a generic term for any type of attack that involves an injection of code, it typically exists of entering invalid data into an input-field in an application or website that does not validate and sanitise user-input. The goal is to comprimise the original code to make the application or website behave in a different way, which then can lead to security breaches.
This is one of the most popular injection-attacks.
A developer always needs to write code that checks every user-input against a required format and length, like a numeric field that can only accept numeric values, or an e-mail field that checks whether a given e-mail adress has the right format: "firstname.lastname@example.org".
See hybrid malware
This is probably one of the most dangerous vulnerabilities that can happen in an application. Command injection (also known as shell injection) is a cyber attack that involves executing commands in a system shell or other parts of the environment to extend the functionality of an application, without needing to inject malicious code. Due to the insufficient input validation an attacker could inject their own commands to be operated on the shell level.
With this type of attack a hacker is able to leverage an OS-command injection vulnerability to compromise the hosting infrastructure, exploiting trust relationships to extend the attack to other systems within the network.
Protection: if you really need user input into system commands, implement strong input validation before passing it on. You can use an allowlist of strings or regular expressions (f.i.). Next to that you can deploy a web application firewall (WAF) to help filter out suspicious user input and you should also run your application with only the privileges it needs to complete its task: when an application requires only read access to a file, it shouldn't have writing or execution permissions also.
A type of spam that we can encounter everywhere on the internet. It comes in many forms like posting irrelevant or disrespectful articles, comments and remarks on forums, blogs, social media, newsgroups etc. It also includes trolling behaviour, use of a fake identity and astrotrurfing (to hide the true intent, like political or religious ideals). Often the comment or post contains a link to another website.
For web(site) developers comment-spam is a bad thing: it can bring your SEO-score down or even make your domain be marked by search engines as dangerous. There are many ways to limit comment-spam, like plugins, turning off user-website information, disabling usage of HTML-tags etc.
A compiled virus is a compiler-converted program that can be directly executed by an operating system, it's mostly memory-resident (especially boot-sector viruses) and therefore capable of infecting every program that's being run on the (local) machine, next to already existing files.
We can classify this type of virus in: file-infecting viruses, boot-sector viruses and multipartite viruses. Compiled viruses interfere with normal machine operations more frequently than non-memory-resident viruses.
Compromised-key attack / Key compromised Impersonation (KCI)
Modern cryptographic algorithms, when implemented correctly, are highly-resistant to attack, their only weak point is the key.
A compromised-key attack is an attack in which an intruder knows the key which is used to encrypt and decrypt data send over a network. This key corresponds to the certificate associated with the server. The attacker interferes with the connection initialization and forces the client to use an insecure handshake with client authentication, requesting the previously installed certificate from the system. With the compromised key, the attacker can also try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications as well. A single compromised key could lead to a massive data breach.
There are three primary types of keys that need to be kept safe and secure: symmetric keys, private keys and hash keys and there are two sensitive keys in use in the public key infrastructure (PKI): the private key that each certificate holder has and the session key that is used after a successful identification and session key exchange.
Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible.
Configuration File Sniffing (CFS)
See Sniffing attacks
Content Management System (CMS)
A Content Management System is an application for webdevelopers which they can use to build a fully functional website, it typically contains functionalities like allowing visitors to comment on a (blog)post, to like a blogpost etc. But for webdevelopers it also often contains many handy tools like easy image-including, font-management etc. Well-known CMS's are Wordpress, Joomla and Drupal.
When a certain functionality is wanted by the webdeveloper and not standard-available, he sometimes can install a (third-party) plugin to add this to his website, this is easy because the website-developer doesn't have to write all the source-code himself ánd just like the CMS itself, the plugin is mostly well-maintained and safe to use.
Risks: not all CMS-plugins are being regularly maintained and updated, this is where hackers can be able to find vulnerabilities and without knowing, the webdeveloper publishes a dangerous script which can harm the visitors. Therefore: webdevelopers always need to make 100% sure that the CMS ánd the plugins they use are safe and regularly updated (which is not always the case).
Conversation eavesdropping is a type of network attack where an intruder secretly and explicitly reads (text / e-mail) messages sent between devices. The attacker typically does not want to get noticed so he stays as low-profiled as possible and doesn't change anything in the devices' file-systems. This way the intruder can learn about you or your organization and use this information to find ways to do harm.
A cookie is more formally known as an HTTP cookie, a web cookie, an Internet cookie, or a browser cookie. Cookies are typically text files that can provide information about your browsing behavior. It's how you automatically get logged in on sites you've already visited for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention.
Session cookies stick around as long as you're browsing a site, tracking what you're doing but disappearing when you leave.
Authentication cookies check whether you're logged into that site, and how you identify yourself when you do log in.
Tracking cookies stay on your computer to gradually build a record of your interactions with a given site.
First-party cookies are placed by the site itself, typically for its own use.
Third-party tracking cookies can cause security concerns, since they make it easier for parties you can't identify to watch where you are going and what you are doing online. They might be placed by an advertising network that can watch you on multiple sites and build a rich profile of you.
Supercookies aren't stored on your device: they're inserted at the network level by your service provider.
A zombie cookie is a cookie that recreates itself after being deleted, making zombie cookies tough to manage.
Under normal circumstances, cookies cannot transfer viruses or malware to your computer, because the data in a cookie doesn’t change, it has no way to affect how your computer runs. However, some viruses and malware may be disguised as cookies. For instance: supercookies can be a potential security concern, and many browsers offer a way to block them.
See also the link to our cookiepolicy at the bottom of this page.