Web Security Fundamentals

⚠️ Vulnerable Code Example

# VULNERABLE - Never use this!
# Python with string formatting (DANGEROUS)
query = f"SELECT * FROM users WHERE username = '{username}'"

# This allows attackers to inject malicious SQL:
# Input: ' OR '1'='1
# Result: SELECT * FROM users WHERE username = '' OR '1'='1'

✅ Secure Code Example

# SECURE - Using Parameterized Queries
# Python with SQLite
import sqlite3

def get_user_by_username(username):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Parameterized query - user input is treated as data, not code
    query = "SELECT * FROM users WHERE username = ?"
    cursor.execute(query, (username,))
    
    result = cursor.fetchone()
    conn.close()
    return result

# Even if attacker inputs: ' OR '1'='1
# It's treated as a literal string, not SQL code

# SECURE - Using an ORM (SQLAlchemy)
from sqlalchemy.orm import Session

def get_user_by_username(session: Session, username: string):
    # SQLAlchemy automatically parameterizes queries
    user = session.query(User).filter(
        User.username == username
    ).first()
    return user

Types of XSS

⚠️ Vulnerable Code

Welcome, 

✅ Secure Code

Welcome, 


Welcome, {{ name | escape }}


Welcome, {name}
{/* React automatically escapes content */}

// SECURE - JavaScript Context
// Use textContent instead of innerHTML
const userInput = '';
element.textContent = userInput; // Safe!

// AVOID: element.innerHTML = userInput; // Dangerous!

⚠️ How CSRF Works

# Attack Scenario:
# 1. User logs into bank.com and has valid session cookie
# 2. User visits attacker.com (in another tab)
# 3. attacker.com contains:


# 4. Browser sends the request WITH bank.com cookies
# 5. Bank processes the transfer thinking it's legitimate

✅ CSRF Defense Implementation

# Python/Flask - CSRF Token
from flask_wtf import FlaskForm
from wtforms import StringField, PasswordField
from wtforms.validators import DataRequired

class LoginForm(FlaskForm):
    username = StringField('Username', validators=[DataRequired()])
    password = PasswordField('Password', validators=[DataRequired()])

# In templates:

    {{ form.hidden_tag() }}  {# CSRF token #}
    {{ form.username() }}
    {{ form.password() }}
    Login

// JavaScript - Double Submit Cookie Pattern
// 1. Server sets CSRF cookie
document.cookie = "csrftoken=abc123; SameSite=Strict";

// 2. JavaScript reads cookie and adds to request
function makeRequest(url, data) {
    const csrfToken = getCookie('csrftoken');
    
    return fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'X-CSRF-Token': csrfToken
        },
        body: JSON.stringify(data)
    });
}

Validation Strategies

# Python - Input Validation Example
import re
from typing import Optional

def validate_email(email: str) -> bool:
    """Validate email format."""
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email))

def validate_username(username: str) -> Optional[str]:
    """Validate username and return error message if invalid."""
    if len(username) < 3:
        return "Username must be at least 3 characters"
    if len(username) > 20:
        return "Username must be at most 20 characters"
    if not re.match(r'^[a-zA-Z0-9_]+$', username):
        return "Username can only contain letters, numbers, and underscores"
    return None  # Valid

def sanitize_input(user_input: str) -> str:
    """Remove potentially dangerous characters."""
    # Remove null bytes
    sanitized = user_input.replace('\x00', '')
    # Strip leading/trailing whitespace
    sanitized = sanitized.strip()
    return sanitized