for words beginning with: co
Coding standards
Coding standards and guidelines exist for every type of coding-language that you can use while building applications, programs and websites. Standards mostly exist for reasons of compatibility, debugging, maintainability, teamworking, product-quality, (webbrowser-)rendering of webpages, security etc.: not following guidelines often result in vulnerabilities, bad user-experience, accidents, financial losses and many other unpleasant surprises.
Some examples are: using self-documenting variable-names, indentation, error-return values, input-validation, a strong nonce-based Content Security Policy without unsafe directives like 'unsafe-inline', 'unsafe-hashes', 'unsafe-eval', data: etc. (even when CSP-validators recommend these directives), server-level security directives, well-documented non-generic source-code, small functions and clear meta-information about the author, date-created etc. and avoiding javascript as much as possible (= unsafe by design).
Next to all the guidelines, the developer himself also benefits by writing standard source-code without shorthands and abbreviations: it makes it easier for him and his collegues to review the work, find bugs when they appear and reuse the source-code for other projects.
A relatively new phenomenon is using AI for coding-help: this can be very handy, but: be very critical to the code they provide, because they do not focus on security-first and come with inline-scripts and inline-styles, insufficient input-validation, not mentioning usage of a CSP, over-engineered complex solutions for relatively simple issues etc.
A webdeveloper has access to several online code-validators and other tools that supply him with information about his work and how to upgrade the quality of it. Not using these tools often result in bad search-engine results and negative user-experience.
In general you can say that what's widely known as best-practises are not best-practises at all, but just what everybody else does. Do not blindly copy-paste code that you can find on the web, do not use frameworks and third-party codes that make a strong CSP impossible to imply and do not trust AI-code by default.
Code injection
Code injection is a generic term for any type of attack that involves an injection of code, it typically exists of entering invalid data into an input-field in an application or website that does not validate and sanitise user-input directly. The goal is to compromise the original code to make the application or website behave in a different way, which then can lead to security breaches.
This is one of the most popular injection-attacks.
A developer always needs to write code that checks every user-input against a required format and length, like a numeric field that can only accept numeric values, or an e-mail field that checks whether a given e-mail adress has the right format: "something@example.com".
An often used type of (wrong) input-validation with PHP is:
if(isset($_POST['userinput'])) {
$userinput = $_POST['userinput'];
validate($userinput);
}
Question: Why is this wrong?
Answer: Because you assign unvalidated user-input directly to a variable.
The right way to do this is:
if(isset($_POST['userinput'])) {
$userinput = validate($_POST['userinput']);
}
Where the function "validate" checks the user-input and returns error when the input is not as expected, instead of sanitizing the input and using the sanitized data. Only sanitize and use data that is validated and safe to process, else: give the input back with an error-message.
Combo malware
See hybrid malware
Command injection
This is probably one of the most dangerous vulnerabilities that can happen in an application. Command injection (also known as shell injection) is a cyber attack that involves executing commands in a system shell or other parts of the environment to extend the functionality of an application, without needing to inject malicious code. Due to the insufficient input validation an attacker could inject their own commands to be operated on the shell level.
With this type of attack a hacker is able to leverage an OS-command injection vulnerability to compromise the hosting infrastructure, exploiting trust relationships to extend the attack to other systems within the network.
Protection: if you really need user input into system commands, implement strong input validation before passing it on. You can use an allowlist of strings or regular expressions, strict type-checking (===), built-in functions like ctype_alnum and htmlspecialchars etc. Next to that you can deploy a web application firewall (WAF) to help filter out suspicious user input and you should also run your application with only the privileges it needs to complete its task: when an application requires only read access to a file, it shouldn't have writing or execution permissions in the first place.
Comment spam
A type of spam that we can encounter everywhere on the internet. It comes in many forms like posting irrelevant or disrespectful articles, comments and remarks on forums, blogs, social media, newsgroups etc. It also includes trolling behaviour, use of a fake identity and astroturfing (to hide the true intent, like political or religious ideals). Often the comment or post contains a link to another website.
For web-developers comment-spam is a bad thing: it can bring your SEO-score down or even make your domain be marked by search engines as dangerous. There are many ways to limit comment-spam, like plugins, turning off user-website information, disabling usage of HTML-tags etc.
Compiled virus
A compiled virus is a compiler-converted program that can be directly executed by an operating system, it's mostly memory-resident (especially boot-sector viruses) and therefore capable of infecting every program that's being run on the (local) machine, next to already existing files.
We can classify this type of virus in: file-infecting viruses, boot-sector viruses and multipartite viruses. Compiled viruses interfere with normal machine operations more frequently than non-memory-resident viruses.
Compromised-key attack / Key Compromised Impersonation (KCI)
Modern cryptographic algorithms, when implemented correctly, are highly-resistant to attack, their only weak point is the key.
A compromised-key attack is an attack in which an intruder knows the key which is used to encrypt and decrypt data send over a network. This key corresponds to the certificate associated with the server. The attacker interferes with the connection initialization and forces the client to use an insecure handshake with client authentication, requesting the previously installed certificate from the system. With the compromised key, the attacker can also try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications as well. A single compromised key could lead to a massive data breach.
There are three primary types of keys that need to be kept safe and secure: symmetric keys, private keys and hash keys and there are two sensitive keys in use in the public key infrastructure (PKI): the private key that each certificate holder has and the session key that is used after a successful identification and session key exchange.
Although obtaining a key is a difficult and resource-intensive process for an attacker, it still is possible to do.
Configuration File Sniffing (CFS)
See Sniffing attacks
<contact-form>
HTDML-tag as mentioned in the HTDML-custom-tag-table and the custom-tagtable-stylesheet.
I made this tag mainly for semantic reasons and a little bit of optional styling. You can wrap it around an HTML-<form> and for example give it an extra border to create depth or whatever effect you want, like the <card-tag>. The whole idea is that you clearly state in the tag itself what kind of form it is, this is the semantic meaning.
Everybody knows what contact-forms are for so I'll just put the code here:
<contact-form>
<form id="contactform" method="post" action="basecontact.php">
<center-tag>
<textarea id="contactarea" name="contactarea" placeholder="Type your message"></textarea><br>
<input type="submit" name="submitnotes" form="contactform" value="To send or not to send" class="realbutton">
</center-tag>
</form>
</contact-form>
If you want to see the form itself, have a look at the contactpage
(by the way: it's a fake form, I don't do contactforms, I don't really like user-input on my websites, there are enough social buttons in the footer for that).
Content Management System (CMS)
A Content Management System is an application for webdevelopers which they can use to build a fully functional website, it typically contains functionalities like allowing visitors to comment on a (blog)post, to like a blogpost etc. But for webdevelopers it also often contains many handy tools like easy image-including, font-management etc. Well-known CMS's are Wordpress, Joomla and Drupal.
When a certain functionality is wanted by the webdeveloper and not standard-available, he sometimes can install a (third-party) plugin to add this to his website, this is easy because the website-developer doesn't have to write all the source-code himself ánd just like the CMS itself, the plugin is mostly well-maintained and safe to use (always check this!).
Risks: not all CMS-plugins are being regularly maintained and updated, this is where hackers can be able to find vulnerabilities and without knowing, the webdeveloper publishes a dangerous script. Therefore: webdevelopers always need to make 100% sure that the CMS ánd the plugins they use are safe and regularly updated (which is not always the case).
Conversation eavesdropping
Conversation eavesdropping is a type of network attack where an intruder secretly and explicitly reads (text / e-mail) messages sent between devices. The attacker typically does not want to get noticed so he stays as low-profiled as possible and doesn't change anything in the devices' file-systems. This way the intruder can learn about you or your organization and use this information to find ways to do harm.
Cookies
A cookie is more formally known as an HTTP cookie, a web cookie, an Internet cookie, or a browser cookie. Cookies are typically text files that can provide information about your browsing behavior. It's how you automatically get logged in on sites you've already visited for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention.
Session cookies stick around as long as you're browsing a site, tracking what you're doing but disappearing when you leave.
Authentication cookies check whether you're logged into that site, and how you identify yourself when you do log in.
Tracking cookies stay on your computer to gradually build a record of your interactions with a given site.
First-party cookies are placed by the site itself, typically for its own use.
Third-party tracking cookies can cause security concerns, since they make it easier for parties you can't identify to watch where you are going and what you are doing online. They might be placed by an advertising network that can watch you on multiple sites and build a rich profile of you.
Supercookies aren't stored on your device: they're inserted at the network level by your service provider.
An evercookie is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on your browser.
A zombie cookie is a cookie that recreates itself after being deleted, making zombie cookies tough to manage.
Under normal circumstances, cookies cannot transfer viruses or malware to your computer, because the data in a cookie doesn’t change, it has no way to affect how your computer runs. However, some viruses and malware may be disguised as cookies. For instance: supercookies can be a potential security concern, and many browsers offer a way to block them.
Our society is run by a managerial bureaucracy,
by professional politicians;
people are motivated by mass suggestion,
their aim is producing more and consuming more,
as purposes in themselves.
Erich Fromm, The Art of Loving
(Not an advertisement)
Test your website
HTDML-coding
Troje (NL)
Kahlil Gibran
And now for something completely different:
