Fatskills
Practice. Master. Repeat.
Study Guide: Principles of Information Security: Web Application Attacks (OWASP Top 10 – SQL Injection, XSS, CSRF)
Source: https://www.fatskills.com/first-aid/chapter/information-security-web-application-attacks-owasp-top-10-sql-injection-xss-csrf

Principles of Information Security: Web Application Attacks (OWASP Top 10 – SQL Injection, XSS, CSRF)

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

Web Application Attacks (OWASP Top 10 – SQL Injection, XSS, CSRF)

Web Application Attacks (OWASP Top 10 – SQL Injection, XSS, CSRF) – Exam-Ready Study Guide

What This Is

Web application attacks exploit vulnerabilities in web-based software (e.g., e-commerce sites, banking portals, SaaS platforms) to steal data, hijack sessions, or execute malicious code. These attacks are among the most common and damaging in cybersecurity, often leading to data breaches, financial fraud, or full system compromise. For example: - SQL Injection (SQLi): In 2017, Equifax suffered a breach exposing 147 million records due to an unpatched Apache Struts vulnerability, which allowed SQLi attacks to extract sensitive data (SSNs, credit card numbers). - Cross-Site Scripting (XSS): In 2018, British Airways was hacked via an XSS attack, leading to the theft of 500,000 customers’ payment details and a £20M GDPR fine. - Cross-Site Request Forgery (CSRF): In 2016, uTorrent had a CSRF flaw that allowed attackers to execute arbitrary code on users’ machines by tricking them into clicking a malicious link.

Mastering these attacks is critical for certifications (CISSP, Security+, CEH) and real-world roles (penetration testing, secure coding, incident response).

Key Terms & Concepts

  • OWASP (Open Web Application Security Project): A nonprofit foundation that publishes the OWASP Top 10, a ranked list of the most critical web application security risks. Used as a baseline for secure coding (NIST SP 800-53, ISO 27001).

  • SQL Injection (SQLi): An attack where malicious SQL queries are injected into input fields (e.g., login forms, search boxes) to bypass authentication, dump databases, or execute OS commands. Example: ' OR '1'='1 in a login form.

  • Tools: sqlmap, Burp Suite, OWASP ZAP.

  • Standards: OWASP A1 (2021), MITRE ATT&CK T1190.

  • Cross-Site Scripting (XSS): A client-side attack where malicious JavaScript is injected into a web app and executed in a victim’s browser. Types:

  • Stored (Persistent) XSS: Malicious script is permanently stored on the server (e.g., in a database) and served to users (e.g., malicious forum post).
  • Reflected XSS: Malicious script is embedded in a URL and executed when the victim clicks it (e.g., phishing email).
  • DOM-based XSS: Vulnerability exists in the client-side code (e.g., JavaScript manipulating the DOM).
  • Example: <script>alert('Hacked!')</script> in a comment field.
  • Tools: Burp Suite, XSS Hunter, BeEF (Browser Exploitation Framework).

  • Standards: OWASP A3 (2021), MITRE ATT&CK T1189.

  • Cross-Site Request Forgery (CSRF): An attack that tricks a logged-in user into submitting a malicious request (e.g., changing their password, transferring funds) without their knowledge. Relies on session cookies being automatically sent by the browser.

  • Example: A victim clicks a link like https://bank.com/transfer?to=attacker&amount=1000 while logged into their bank.
  • Defense: CSRF tokens (unique, unpredictable tokens per session).

  • Standards: OWASP A8 (2021), MITRE ATT&CK T1204.

  • Input Validation: The process of sanitizing and validating user input to prevent injection attacks. Techniques:

  • Whitelisting (allow only known-good input).
  • Blacklisting (block known-bad input, less secure).
  • Parameterized Queries (for SQLi).

  • Output Encoding (for XSS).

  • Same-Origin Policy (SOP): A browser security mechanism that restricts scripts from one origin (domain, protocol, port) from interacting with resources from another origin. CSRF and XSS bypass SOP.

  • Content Security Policy (CSP): An HTTP header (Content-Security-Policy) that restricts sources of executable scripts, mitigating XSS. Example: Content-Security-Policy: script-src 'self' https://trusted.cdn.com

  • HTTPOnly & Secure Flags:

  • HTTPOnly: Prevents JavaScript from accessing cookies (mitigates XSS cookie theft).

  • Secure: Ensures cookies are only sent over HTTPS (prevents MITM attacks).

  • Session Hijacking: Stealing or predicting a session token (e.g., via XSS or sniffing unencrypted traffic) to impersonate a user. Defenses:

  • Short session timeouts.

  • Regenerating session IDs after login.

  • OWASP Top 10 (2021): The latest ranking of web app risks (A1-A10). SQLi, XSS, and CSRF are historically top 3.

  • A1: Broken Access Control (e.g., IDOR).
  • A3: Injection (SQLi, NoSQLi, OS Command Injection).

  • A7: Identification and Authentication Failures (e.g., weak passwords).

  • MITRE ATT&CK Framework: A knowledge base of adversary tactics and techniques. Web app attacks fall under:

  • Initial Access (T1190 – Exploit Public-Facing Application).

  • Execution (T1203 – Exploitation for Client Execution).

  • Burp Suite / OWASP ZAP: Interception proxies used for manual and automated web app testing (e.g., fuzzing, scanning for SQLi/XSS).

Step-by-Step / Process Flow

1. Identify Vulnerabilities (Reconnaissance)

  • Manual Testing:
  • Use Burp Suite or OWASP ZAP to intercept requests.
  • Test input fields with payloads (e.g., ' OR 1=1 -- for SQLi, <script>alert(1)</script> for XSS).
  • Automated Scanning:
  • Run OWASP ZAP or Nessus to scan for common vulnerabilities.
  • Check for misconfigurations (e.g., missing CSP headers, default credentials).
  • Code Review:
  • Look for unsafe functions (e.g., eval(), innerHTML in JavaScript).
  • Check for lack of parameterized queries in SQL.

2. Exploit the Vulnerability (Proof of Concept)

  • SQL Injection:
  • Use sqlmap to automate exploitation: bash sqlmap -u "https://example.com/login?user=1&pass=1" --dbs
  • Manually test with: sql ' UNION SELECT username, password FROM users --
  • XSS:
  • Stored XSS: Inject script into a comment field and wait for victims to load it.
  • Reflected XSS: Craft a malicious URL and send it via phishing.
  • DOM XSS: Manipulate URL fragments (e.g., https://example.com/#<script>alert(1)</script>).
  • CSRF:
  • Create a malicious HTML form that auto-submits to a vulnerable endpoint: html <form action="https://bank.com/transfer" method="POST"> <input type="hidden" name="to" value="attacker"> <input type="hidden" name="amount" value="1000"> </form> <script>document.forms[0].submit();</script>

3. Mitigate the Attack (Defensive Strategies)

Attack Defense
SQL Injection - Use parameterized queries (prepared statements).
- Apply least privilege (DB user should not have DROP TABLE rights).
- Use ORM (Object-Relational Mapping) frameworks (e.g., Hibernate).
XSS - Output encoding (e.g., HTML entity encoding).
- CSP headers to restrict script sources.
- HTTPOnly & Secure flags for cookies.
CSRF - CSRF tokens (unique per session).
- SameSite cookie attribute (Strict or Lax).
- Double-submit cookies (compare token in cookie and request).

4. Monitor & Detect (SIEM & Logging)

  • Log suspicious activity:
  • Failed SQL queries (e.g., SELECT * FROM users WHERE username = 'admin' --).
  • Unusual JavaScript execution (e.g., eval() calls).
  • Multiple failed CSRF token validations.
  • SIEM Rules (Splunk/ELK):
  • Alert on unexpected SQL keywords (UNION, DROP, EXEC).
  • Alert on XSS payloads (<script>, onerror=, javascript:).
  • Alert on CSRF token mismatches.

5. Respond to an Incident (IR Steps)

  1. Contain: Disable the vulnerable endpoint or take the app offline.
  2. Eradicate: Patch the vulnerability (e.g., update code, add input validation).
  3. Recover: Restore from backups if data was altered/deleted.
  4. Lessons Learned: Update secure coding guidelines and train developers.

Common Mistakes

Mistake Correction
Assuming client-side validation is enough. Client-side validation (e.g., JavaScript) can be bypassed (e.g., Burp Suite). Always validate server-side.
Using blacklisting for SQLi/XSS. Blacklisting is easily bypassed (e.g., ' OR 1=1 vs ' OR '1'='1). Use whitelisting or parameterized queries.
Confusing XSS and CSRF. - XSS: Executes malicious script in the victim’s browser.
- CSRF: Tricks the victim into submitting a malicious request.
Ignoring DOM-based XSS. DOM XSS is client-side only (no server interaction). Test with URL fragments (e.g., #<script>alert(1)</script>).
Not testing for second-order SQLi. Some SQLi payloads are stored in the DB and executed later (e.g., in a report query). Always test stored inputs.

Certification Exam Tips

CISSP (Management Perspective)

  • Focus on risk management: Know how to prioritize OWASP Top 10 risks (e.g., SQLi is higher risk than CSRF).
  • Secure SDLC: Understand where input validation, code reviews, and penetration testing fit into the Software Development Lifecycle (SDLC).
  • Compliance: Be familiar with NIST SP 800-53 (SA-11: Developer Security Testing) and ISO 27001 (A.14.2.5: Secure System Engineering Principles).

Security+ (Technical Perspective)

  • Know the OWASP Top 10 order: SQLi, XSS, and CSRF are historically top 3 (2017/2021).
  • Defense-in-depth: Expect questions on layered defenses (e.g., WAF + input validation + CSP).
  • Tool knowledge: Be familiar with Burp Suite, sqlmap, and OWASP ZAP (but don’t need hands-on experience).

CEH (Offensive Perspective)

  • Payloads matter: Memorize basic SQLi/XSS payloads (e.g., ' OR 1=1 --, <script>alert(1)</script>).
  • Bypass techniques: Know how to evade filters (e.g., UNION vs UN//ION, <img src=x onerror=alert(1)>).
  • Chaining attacks: CEH loves combining attacks (e.g., XSS to steal cookies, then CSRF to change passwords).

Tricky Distinctions

  • Stored XSS vs. Reflected XSS:
  • Stored: Malicious script is permanently stored on the server (e.g., in a database).
  • Reflected: Malicious script is embedded in a URL and reflected back to the user.
  • CSRF vs. Session Hijacking:
  • CSRF: Tricks the user into submitting a request (e.g., changing their email).
  • Session Hijacking: Steals the session token (e.g., via XSS or sniffing).

Quick Check Questions

1. A penetration tester finds that entering ' OR '1'='1 into a login form bypasses authentication. Which of the following is the MOST likely vulnerability?

A) Cross-Site Scripting (XSS) B) Cross-Site Request Forgery (CSRF) C) SQL Injection (SQLi) D) Directory Traversal

Correct Answer: C) SQL Injection (SQLi) Explanation: The payload ' OR '1'='1 is a classic SQLi technique to bypass login forms by making the SQL query always true.

2. A web application uses the following code to display user comments:

document.getElementById("comment").innerHTML = userInput;

Which vulnerability is present, and what is the BEST mitigation? A) SQL Injection – Use parameterized queries B) XSS – Encode output and implement CSP C) CSRF – Add CSRF tokens D) Insecure Direct Object Reference (IDOR) – Implement access controls

Correct Answer: B) XSS – Encode output and implement CSP Explanation: The code directly inserts user input into the DOM without encoding, making it vulnerable to XSS. Mitigations include output encoding and Content Security Policy (CSP).

3. An attacker sends a victim a link to https://bank.com/transfer?to=attacker&amount=1000. When clicked, the victim’s browser automatically submits the request because they are logged into bank.com. Which attack is this, and what is the BEST defense?

A) XSS – Use HTTPOnly cookies B) CSRF – Implement CSRF tokens C) SQL Injection – Use prepared statements D) Session Hijacking – Regenerate session IDs

Correct Answer: B) CSRF – Implement CSRF tokens Explanation: The attack tricks the victim into submitting a malicious request while authenticated, which is CSRF. The best defense is CSRF tokens (unique per session).

Last-Minute Cram Sheet

  1. SQL Injection (SQLi): ' OR 1=1 ---Parameterized queries + least privilege.
  2. XSS Types: Stored (DB), Reflected (URL), DOM (client-side)-Output encoding + CSP.
  3. CSRF: Tricks user into submitting a request-CSRF tokens + SameSite cookies.
  4. OWASP Top 10 (2021): A1=Broken Access Control, A3=Injection, A7=Auth Failures.
  5. Burp Suite / OWASP ZAP: Interception proxies for manual web app testing.
  6. CSP Header: Content-Security-Policy: script-src 'self'-Mitigates XSS.
  7. HTTPOnly + Secure Flags: Prevent cookie theft (XSS) + MITM attacks.
  8. Same-Origin Policy (SOP): Browser security-CSRF/XSS bypass it.
  9. MITRE ATT&CK: T1190 (Exploit Public-Facing App), T1189 (XSS), T1204 (CSRF).
  10. Exam Trap: XSS-CSRF! XSS executes script in victim’s browser; CSRF tricks victim into submitting a request.

⚡ Recently practiced quizzes in this class
Certified Information Security Manager (CISM) Test Prep Questions CISM Certified Information Security Manager Acronyms CISM: Certified Information Security Manager Certified Encryption Specialist Information Security Associate Exam - SkillFront Exam Questions Information Cyber Security (ICS) Practice Test Information Security C724 Information Systems Management - WGU GIAC

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.