I still remember the first time I was exposed to the topic of web application security, although I did not realize the impact at that time. Back around 1997, I was creating web applications (or, rather, websites, back then), but hosting services were really expensive. For one of my projects, the only option I could afford was one where I was allowed to create just one page (!), and I had to use the hosting provider’s tooling for that—no custom HTML or CSS was possible. I had plenty of free space available on a free hosting service but could not use my own domain there; rather, I used something like http://home.someprovider.com/mysite.
One of the very few features available to me was to set the keywords of the page (back in the day, search engines actually parsed that information). If I was using “web application security, hacking,” for instance, this would be turned into the following HTML markup:
<meta name="keywords" content="web application security, hacking">
"><meta http-equiv="refresh" content="0; url=http://home.someprovider.com/mysite"><"
It turned out that the provider was putting this data verbatim into the <meta> tag, leading to this result (formatted for legibility, with my input in bold):
<meta name="keywords" content=""> <meta http-equiv="refresh" content="0; url=http://home.someprovider.com/mysite"> <"">