Common Website Attacks: SQL Injection, XSS, CSRF
🌐 Common Website Attacks
(SQL Injection, XSS, CSRF)
⚠️ These attacks are explained for educational and cybersecurity awareness purposes only.
1️⃣ SQL Injection (SQLi)
📘 What is SQL Injection?
SQL Injection is a web attack where an attacker inserts malicious SQL code into input fields to manipulate the database.
It targets websites that do not properly validate user input.
🎯 Target
-
Login forms
-
Search boxes
-
URL parameters
-
Contact forms
⚙️ How SQL Injection Works
-
User enters input into a form
-
Application directly inserts input into SQL query
-
Malicious SQL code modifies the query
-
Database executes altered query
If input validation is weak → attacker can access or modify database data.
🔓 What Attackers Can Do
-
Bypass login
-
Steal user data
-
Delete database tables
-
Modify records
-
Gain admin access
📊 Types of SQL Injection
1️⃣ In-band SQLi
Most common type. Data retrieved using same communication channel.
2️⃣ Blind SQLi
No direct output shown, attacker uses logical responses.
3️⃣ Out-of-band SQLi
Uses different communication channel to retrieve data.
🛡️ Prevention of SQL Injection
-
Use Prepared Statements
-
Use Parameterized Queries
-
Input Validation
-
Stored Procedures
-
Web Application Firewall (WAF)
-
Limit database permissions
2️⃣ Cross-Site Scripting (XSS)
📘 What is XSS?
Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into a trusted website.
The script runs in the victim’s browser.
🎯 Target
-
Comment sections
-
Search bars
-
User profile fields
-
Message boards
⚙️ How XSS Works
-
Attacker inserts malicious JavaScript
-
Website stores or reflects the script
-
Victim opens page
-
Script executes in victim’s browser
🔓 What Attackers Can Do
-
Steal session cookies
-
Hijack user accounts
-
Redirect users
-
Display fake login forms
-
Spread malware
📊 Types of XSS
1️⃣ Stored XSS
Malicious script stored in database.
2️⃣ Reflected XSS
Script reflected immediately from user input.
3️⃣ DOM-Based XSS
Vulnerability exists in client-side JavaScript.
🛡️ Prevention of XSS
-
Input validation
-
Output encoding
-
Use Content Security Policy (CSP)
-
Escape special characters
-
Secure cookies (HttpOnly flag)
3️⃣ Cross-Site Request Forgery (CSRF)
📘 What is CSRF?
CSRF is an attack where a user is tricked into performing unwanted actions on a website where they are already authenticated.
🎯 Target
-
Online banking
-
Social media
-
E-commerce
-
Account settings
⚙️ How CSRF Works
-
Victim logs into website
-
Session remains active
-
Attacker sends malicious link or email
-
Victim clicks link
-
Website performs action using active session
🔓 What Attackers Can Do
-
Transfer money
-
Change email/password
-
Delete account
-
Post unauthorized content
🛡️ Prevention of CSRF
-
Use CSRF tokens
-
SameSite cookies
-
Re-authentication for sensitive actions
-
Check Referer header
-
Use CAPTCHA
📊 Comparison Table
| Attack | Target | Impact | Prevention |
|---|---|---|---|
| SQL Injection | Database | Data theft | Prepared statements |
| XSS | User browser | Session theft | Output encoding |
| CSRF | Authenticated users | Unauthorized actions | CSRF tokens |
🔐 Real-World Impact
These attacks have caused:
-
Data breaches
-
Financial losses
-
Identity theft
-
Website defacement
Major companies have faced such vulnerabilities due to poor security practices.
🎓 Short Exam Definition
SQL Injection, XSS, and CSRF are common web application attacks that exploit input validation weaknesses to manipulate databases, inject scripts, or perform unauthorized actions.
Comments
Post a Comment