Through out my software development experience I found following common security pitfalls:
1. Relying on web browser supports, for example disabled, readonly or hidden html fields.
Some sites, (for example: spaces.live.com) keep user name inside a read only text field. Using FireBug or other DOM editor, anyone can alter those text fields.
3. No server side content sanitizing and validation
if you are missing server side data sanitizing and validation, it would worth a huge lost, when some people will introduce database injection or other problem.
4. If any button is used for single purpose, it should be disabled or hidden after performing its task.
Otherwise user may click on that button once again, perhaps that button will hit an unexpected server hit. Save server side hit. 🙂
5. Incase of own managed session, every session should commit to suicide after a certain life time. After session dead, every session ID must be invalidated.
Otherwise, user may use previous session id to perform any spamming.
6. Limit your controller to “POST” only.
All form submission and data changes request will be performed over “POST” request. And all data retrieval request will be performed over “GET” method.
7. Releasing product without proper security test.
Perform and verify all probable security pitfalls and development limitation, before opening for public.
8. Asynchronize ajax request for each function.
All functionality should be synchronized to perform each request. For example, a pipe can be used to handle one function, another pipe for handling another function. So whenever user double clicks on any button or function. It will wait until previous function is completed.
That’s all for today 🙂