WHAT problem hum solve kar rahe hain? Ek program ek aisi machine hai jo input ko action mein badalta hai. Agar attacker input control kare, toh woh action ko apni marzi se steer kar sakta hai. Application security ka poora field usi boundary par ek war hai: woh jagah jahan untrusted data, trusted code se milta hai.
WHY yeh matter karta hai: Ek akela unvalidated field tumhara poora database leak kar sakta hai (SQL injection), victim ke browser mein code run kar sakta hai (XSS), ya kisi logged-out user ko admin ka data delete karne de sakta hai (broken access control). OWASP Top 10 bas us boundary ko cross karne ke tarike ki frequency-ranked list hai.
HOW sahi tarike se karo (teen layers, strength ke order mein):
Allowlist validation (best): sirf wahi accept karo jo known-good pattern se match kare.
WHY strongest? Tum good ke chhote set ko enumerate karte ho, na ki bad ke infinite set ko.
Contextual output encoding / escaping: jab data kisi interpreter tak pahunchna hi ho, toh use usi specific context ke liye encode karo (HTML body ≠ HTML attribute ≠ SQL ≠ shell).
Parameterized queries / prepared statements: code aur data ko structurally alag rakho taaki data kabhi code nahi ban sake.
WHY order matter karta hai: Authorize karne se pehle authenticate karna zaroori hai — tum yeh decide nahi kar sakte ki kisi ko kya karne di permission hai jab tak tum jaano nahi ki woh kaun hai. (Anonymous/public access bas woh AuthZ hai jahan subject = "anonymous" hai.)
Recall Feynman: 12-saal ke bachche ko explain karo
Socho tumhara app ek clubhouse hai. Authentication darwaze par woh secret handshake hai jo prove karta hai ki tum sach mein tum hi ho. Authorization woh rule hai ki tumhari wristband ka colour tumhe kaun se rooms mein jaane deta hai. Input validation woh bouncer hai jo check karta hai ki log jo kuch use de rahe hain woh ek ticket hai, na ki koi chalaak chit jo kehti hai "sabko free mein andar aane do." Zyada tar break-ins isliye hote hain kyunki kisine chalaak chit ko real instruction ki tarah act karne diya, ya green wristband wale ko gold room mein jaane diya. Toh: handshake check karo, har room ke liye wristband check karo, aur chit par kabhi trust mat karo.
Ek community-maintained, frequency/evidence-ranked list hai jo sabse critical web application security risks ki hai (awareness guidance, checklist nahi).
Authentication vs Authorization ek-ek line mein?
AuthN = prove karna ki tum kaun ho (identity); AuthZ = decide karna ki tumhe kya karne ki permission hai (permissions).
AuthN aur AuthZ mein se pehle kaun hona chahiye, aur kyun?
AuthN pehle — tum yeh decide nahi kar sakte ki subject kya kar sakta hai jab tak tum jaano nahi ki subject kaun hai.
Allowlisting ke comparison mein blocklisting input kyun weak hai?
Blocklist ko bad inputs ka infinite set enumerate karna padta hai (encodings, alternates use karke bypass ho jaata hai); allowlist known-good ka chhota set enumerate karta hai aur baaki sab reject karta hai.
Parameterized queries SQL injection ko structurally kyun rokti hain?
Query template akele parse hoti hai, parse tree fix ho jaata hai; user input sirf ek leaf value se bind hoti hai aur kabhi koi syntax node add nahi kar sakti.
IDOR kya hai aur kaun si OWASP category hai?
Insecure Direct Object Reference — ID change karke doosre user ke object tak access karna; yeh Broken Access Control (A01) hai.
Password mein salt + slow-hash kyun?
Salt identical passwords ko uniquely hash karta hai (rainbow tables defeat hoti hain); tunable slow hash (bcrypt/argon2) brute force ko economically infeasible bana deta hai.
Woh ek principle kaun sa hai jo zyatar injection AUR XSS ko rokta hai?
Kabhi untrusted data ko code ki tarah interpret mat hone do — input validate karo aur output ko uske exact destination context ke liye encode karo.