OWASP

SQL injection, also known as SQLI, is a common attack that uses malicious SQL code for back-end database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details. Actions a successful attack may take on a compromised target include: Bypassing authentication Stealing data Modifying or corrupting data Deleting data Running arbitrary code Gaining root access to the system itself Types of SQL Injection Unsanitized Input   -   Unsanitized input is a common type of SQLi attack in which the attacker provides user input that isn’t properly sanitized for characters that should be escaped, and/or the input isn’t validated to be the type that is correct/expected.  Let's take an example of  authentication screen where we want to login to application , we have username & password as input on screen, which we ...

What Is Cross-site Scripting? A cross-site scripting attack is a kind of attack on web applications in which attackers try to inject malicious scripts to perform malicious actions on trusted websites. In cross-site scripting, malicious code executes on the browser side and affects users. Cross-site scripting is also known as an XSS attack. The first question that comes in mind is why we call it “XSS” instead of “CSS.” The answer is simple and known to all who work in web development. In web design, we have cascading style sheet s (CSS). So cross-site scripting is called XSS so it does not get confused with CSS. The consequences of malicious JavaScript Among many other things, the ability to execute arbitrary JavaScript in another user's browser allows an attacker to perform the following types of attacks: Cookie theft  -The attacker can access the victim's cookies associated with the website using document.cookie, send them to his own server, and use them to ex...