Secure coding
Writing sourcecode for applications, APIs, websites and programs should always happen with the upmost attention to security: hackers can use all kinds of scripting practises to deploy malicious code, steal user-information, cookies, redirect to malicious websources etc. Some examples of vulnerabilities are the use of third-party includes, insufficient user-input validation, lack of security-headers like Content-Type and X-Content-Type-Options, no Content Securicy Policy (CSP), unneccesary use of Globals, overcomplicated designs, no data-encryption etc.
There are some essential "to-do's" like educating yourself on a constant level and the usage of code-scanners and well-known libraries and includes
SSI / Server-side injections (dynamic injection)
Server-Side Include (SSI) injection vulnerabilities can be exploited by hackers when user-data is send to Server-Side Include (SSI) directives. An attacker can modify or inject directives to carry out malicious actions, when the input is not sufficiently validated. These vulnerabilities can typically be exploited to inject arbitrary content, like f.e. javaScript, into the application's response, with the same impact as cross-site scripting. It may also be possible to read protected files, or perform malicious code-execution on the server.
As with lots of vulnerabilities, input sanitization and validation should help against these types of attacks.
Session hijacking, session disruption, session fixation
These types of attacks typically target a users' authenticated (logged-in) session to get access to files and traffic. Session hijacking and session disruption happen after the user logged-in to the application or network / website and session fixation uses the session-identifier to direct the user to an explicit session of which the attacker is already the owner. Depending on the motive of the attacker, anything can happen during a session-take-over.
