How Websites Work

How websites work

When you visit a website, your browser (like Safari or Google Chrome) makes a request to a web server asking for information about the page you're visiting. It will respond with data that your browser uses to show you the page; a web server is just a dedicated computer somewhere else in the world that handles your requests.

There are two major components that make up a website:

  • Front End (Client-Side): The way your browser renders a website

  • Back End (Server-Side): A server that processes your request and returns a response

HTML

Websites are primarily created using:

  • HTML: To build websites and define their structure.

  • CSS: To make websites look pretty adding styling options

  • JavaScript: Implement complex features on pages using interactivity

HyperText Markup Language (HTML) is the language websites are written in. Elements (also known as tags) are the building blocks of HTML pages and tells browser how to display content.

JavaScript

JavaScript (JS) is one of the most popular coding languages in the world and allows pages to become interactive. JavaScript is used to control the functionality of web pages - without JavaScript, a page would not have interactive elements and would always be static.

Sensitive Data Exposure

Sensitive Data Exposure occurs when a website doesn't properly protect (or remove) sensitive clear-text information to the end-user; usually found in a site's frontend source code.

We now know that websites are built using many HTML elements (tags), all of which we can see simply by "viewing the page source". A website developer may have forgotten to remove login credentials, hidden links to private parts of the website or other sensitive data shown in HTML or JavaScript.

HTML Injection

HTML Injection is a vulnerability that occurs when unfiltered user input is displayed on the page. If a website fails to sanitize user input (filter any "malicious" text that a user inputs into a website), and that input is used on the page, an attacker can inject HTML code into a vulnerable website.

Database injection is where you can manipulate a database lookup query to log in as another user by controlling the input that's directly used in the query.

Last updated