Learning to code using bad web tutorials may be the reason for most security vulnerabilities

The German cybersecurity researchers have found that many security vulnerabilities in many websites could, in fact, be due to people learning to code from popular online tutorials which are riddled with many mistakes.

The Computer scientists from the Saarland University, the Technical University of Braunschweig, Technical University of Berlin, and the cybersecurity firm Trend Micro have analysed thousands of PHP programming projects on the GitHub and they have cross-referenced the code against a bunch of popular coding tutorials which rank at the top of Google.

Most of the popular tutorials online focus on teaching the new coders how to perform a particular task, like how to create a search form in PHP or how to accept the user’s input from a HTML form /message box and output it in the JavaScript; or the tutorials on how to start using an open source database management system like MySQL.

These tutorials offer coding examples that people can copy, but more often the coding examples has mistakes which make it possible for the attackers to later perform a cross-site scripting (XSS) or an SQL injection attack on vulnerable websites to steal the sensitive data from the users.

The researchers checked top five results for each of those above three coding tutorial queries, and they have found that nine of 15 results has vulnerable codes. They have loaded 64,415 PHP codebases on the GitHub in a database and then they ran queries asking a general desktop PC to locate those code snippets.

“Developers routinely consult programming resources as software is written. Although formal documentation such as language and API reference manuals provide detailed guidance, tutorials on the Web are as easily available and are more succinct. The lure of quick actionable advice makes tutorials an appealing reference for developers,” the researchers conclude in their paper.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients