After completing my higher secondary education, I chose a different path. Instead of enrolling in a traditional college, I joined a practical learning program offered by a reputed software company. This program focused on real-world skills and was tailored for students like me, who came from rural backgrounds with limited exposure to technology.
Everyone in the batch was fresh out of school, with no prior experience in programming. We were all learning everything from scratch. When we were introduced to Java, basic web development, and application deployment using tools like Apache Tomcat, it felt like stepping into an entirely new world.
The Assignment That Changed Everything
A few weeks into the program, we were given an assignment: build a functional web application within two weeks using the concepts we had just learned. For most of us, this was our very first real project. The excitement of building something that actually worked was a huge milestone.
I completed my app within a week. With some time left before the deadline and a growing interest in web security, I started exploring the web apps built by my fellow students. What began as curiosity quickly turned into an eye-opening learning experience.
Discovery One: Automated Sign-Ups Due to Missing CAPTCHA
Most applications had basic validation for fields like name, email, and mobile number. However, none of them had implemented a CAPTCHA on the registration page. This meant there was no mechanism to stop automated sign-ups.
To test this, I wrote a simple shell script that would send repeated sign-up requests with random data. Within a few minutes, one of the apps had thousands of fake entries, and eventually, the machine ran out of disk space due to a flooded database.
Some of my classmates tried to replicate the same attack on my app, but they were unsuccessful. I had already implemented a CAPTCHA on the sign-up form, and their scripts were blocked. This was the first time I saw how even a basic security feature could protect a system from a simple attack.
Discovery Two: Brute Force Login Without Rate Limiting
The next common vulnerability I found was in the login functionality. Most apps allowed unlimited login attempts without any restrictions. There was no rate limiting, account lockout, or CAPTCHA after failed attempts.
I created a script to perform a brute force attack using a small dictionary of common passwords. In one case, I was able to gain access with around a 50 percent success rate. This clearly showed the risk of not having any kind of protection on login endpoints.
In my own app, I added an IP-based rate limiter. After five failed login attempts, the system would prompt the user to solve a CAPTCHA before trying again. This helped reduce the chances of a brute force attack being successful and was a simple yet effective security layer.
What I Learned
These early experiments taught me several important lessons:
- Security is not just about writing correct code. It is about thinking how someone might misuse the system.
- Small security features like CAPTCHA and rate limiting can make a huge difference.
- Observing and learning from real issues around you can be just as valuable as following structured tutorials.
Most importantly, these experiences sparked my long-term interest in application security. They taught me how to think like both a developer and an attacker.
Final Thoughts
Building my first web application felt like a major accomplishment. But finding and fixing security flaws in real-world scenarios made the learning experience even deeper. Sometimes, we learn the most not by building perfect systems, but by understanding the flaws in imperfect ones.
In software development and security, being curious, observant, and proactive can set you apart. My journey into web security started with simple observations, a few shell scripts, and a desire to build better and safer systems. That journey is still ongoing, and every new challenge continues to teach me more.
Comments
Post a Comment