The dangers of badly formed websites

How do you steal 210,000 customer account records from Citigroup without hacking? Apparently, it's as simple as changing a URL parameter. That is how hackers stole account information from Citigroup in May 2011. 1 They found that if they changed the series of numbers in a URL parameter from within the bank's online banking site, the web application didn't notice. Instead, it obligingly served up another customer's details. The criminals found the flaw, and then wrote a script to automate the number-changing process for them. Website security has been a problem ever since the web began. Although many of the vulnerabilities – such as SQL injection or Cross-Site Scripting (XSS) – are well understood, they continue to be an issue. Part of the problem is poor security awareness by developers and an emphasis on functionality rather than security. The issue is becoming more complex and difficult to address as new technologies emerge that, while bringing benefits in functionality and performance, also create new vulnerabilities. Danny Bradbury examines why we still have insecure websites and asks what can be done about it.