Web Attacks Overview

🌐 What are Web Attacks?

Web attacks are malicious actions targeting web applications. Attackers exploit vulnerabilities to steal data, bypass security, or control servers. These attacks often abuse user inputs, cookies, or server responses.

---

🔐 1. SQL Injection (SQLi) 1.10.1-Sql-Injection

Definition:
Injecting malicious SQL code into input fields to interact with the database in unintended ways. Goal: - Bypass login - Read, modify, or delete database data Example:

Input: ' OR '1'='1  
Query becomes: SELECT * FROM users WHERE username = '' OR '1'='1';

Effect: Always returns true, logging the attacker in without a password.

---

🛡️ 2. Cross-Site Scripting (XSS) 1.10.2-Cross-Sites-Scripting

Definition:
Injecting malicious JavaScript into a web page that runs in another user's browser. Goal: - Steal cookies or session data - Deface websites - Redirect users to malicious sites Example:

<script>alert("Hacked!")</script>

If this is saved in a comment, any user who views the comment sees the popup.

---

🔁 3. Cross-Site Request Forgery (CSRF) 1.10.3-Cross-Site-Request-Forgery

Definition:
Tricking a user’s browser into sending unauthorized requests using their logged-in session. Goal: - Perform unwanted actions (e.g., money transfer, password change) Example:

<img src="http://bank.com/transfer?amount=1000&to=hacker" />

If the user is logged in to bank.com, this image tag can trigger a transfer without their knowledge.

---

🌐 4. Server-Side Request Forgery (SSRF) 1.10.4-Server-Side-Request-Forgery

Definition:
Forcing a server to make requests to internal or restricted systems. Goal: - Access internal services (e.g., admin panels, cloud metadata) Example:
Inputting:

http://localhost:8080/admin

in a file-fetching API can expose internal resources not meant for public access.

---