By Ryan McBridein
cybersecurity
·

Never Trust User Input

Never Trust User Input

Why Your Apps Keep Getting Hacked (And How to Stop It)

Imagine you just built a really cool app or website. You test it, it works perfectly, and you put it on the internet. But almost immediately, someone breaks into it. How?

In cybersecurity, the absolute #1 rule of writing software is this: Never trust user input.

Whether you’re just browsing the web or dreaming of becoming a software developer, understanding how hackers abuse trust is the key to staying safe. Here is a breakdown of the most common ways bad guys trick our software, and how the pros stop them.

The Web is Full of Liars (Phishing & XSS)
Websites are built using a language called HTML, which uses "tags" to tell your browser what to do. The problem? HTML is incredibly easy to manipulate.

For example, a hacker can easily write a line of HTML that displays the text "Harvard.edu" on your screen, but actually links you to a fake website designed to steal your passwords. This is classic phishing. As a user, your best defense is simply hovering your mouse over a link before you click to see where it actually goes.

But it gets worse. Websites often take what you type (like a search query or a comment) and display it on the screen. If a website isn't careful, a hacker can type malicious computer code (like JavaScript) into a comment box instead of normal words. When you load that page, your browser runs that malicious code, thinking it's part of the website. This is called Cross-Site Scripting (XSS), and hackers use it to steal your login cookies.

The Fix: Developers have to "escape" characters. This means telling the server to convert dangerous symbols (like < and >) into harmless text so the browser just reads it as words, not as executable code.

Tricking the Database (SQL Injection)
Most websites use a language called SQL to talk to their databases (where all the passwords and user data live).

Let’s say a website asks for your username. Instead of typing "John", a hacker might type some clever punctuation, like a single quote and a semicolon (';), followed by a command that says "DELETE EVERYTHING."

If the website blindly trusts what the hacker typed, it accidentally glues the hacker's text directly into its own database commands. Suddenly, the database thinks the hacker's text is an official command, and it deletes all the data. Or worse, the hacker types a math equation that is always true (like 1=1), confusing the database into letting them log in without a password. This is an SQL Injection.

The Fix: Developers use "prepared statements." This forces the database to treat whatever the user types strictly as data, never as a command.

The Sneaky Shopper (CSRF)
Imagine you are logged into Amazon in one tab, and you open a sketchy meme website in another tab.

That meme website could have hidden code that sends a message to Amazon saying, "Buy this $1,000 TV." Because you are currently logged into Amazon, Amazon sees the request coming from your browser and assumes you clicked the button. This is called a Cross-Site Request Forgery (CSRF).

The Fix: Websites use "CSRF Tokens." These are secret, randomized codes that the real website gives your browser. If a request doesn't have that exact secret code attached to it, the server rejects it. Since the sketchy meme site doesn't know your secret code, its fake request fails.

Overflowing the Cup (Buffer Overflows)
What about desktop apps or mobile games? They have vulnerabilities too, primarily through computer memory.

Think of a computer's memory like a cup meant to hold a specific amount of water. If a program asks you for your 10-letter name, it sets aside a tiny "buffer" (or box) in the computer's memory for 10 letters.

But what if a hacker types in 10,000 letters? If the programmer didn't set a limit, that data overflows the box and spills into the rest of the computer’s memory. Hackers use this spill to overwrite the program's actual instructions. They can hijack the app, forcing it to run their own malicious code instead of the original game or app.

So, How Do We Actually Stay Safe?

If you are just using software, the best thing you can do is stick to official App Stores (like Apple's or Google's). These stores use digital signatures—think of them like a cryptographic wax seal. Before an app goes on your phone, Apple or Google checks the seal to ensure the app hasn't been tampered with by a hacker.

If you want to build software, remember that users will try to break your stuff.

  • Never trust the client: Even if you make a button "unclickable" on your website, a hacker can use browser developer tools to click it anyway. Always double-check user actions on your secure server.

  • Embrace the community: Many companies use "Bug Bounties," where they literally pay good hackers thousands of dollars to find these flaws before the bad guys do.

The internet is basically a giant battlefield of people trying to inject code where it doesn't belong. But by forcing data to act like data—and keeping a healthy dose of paranoia about anything a user types—we can keep our apps locked down.