Common Web Application Vulnerabilities and Their Attack Methods

Web applications, typically built on a B/S architecture and accessed via HTTP/HTTPS, have become integral to daily life, but insecure backend development leads to numerous security issues.

Web application attacks refer to attackers sending specially crafted requests to discover and exploit vulnerabilities, allowing them to control or infiltrate the target site.

SQL Injection is a widespread vulnerability where attackers insert malicious SQL commands into form inputs or query strings, potentially altering or stealing data, compromising the database server, or turning the server into a puppet host. Example payload: password = "1' OR '1'='1" .

XSS (Cross‑Site Scripting) involves injecting malicious scripts into web pages using HTML/JavaScript, enabling attackers to steal cookies, hijack sessions, or send spam. XSS types include stored, reflected, and DOM‑based. A simple example: an input field <input type="text" name="username" value="valueFromUser"> where a user submits <script>alert(document.cookie)</script> , causing the script to execute.

CSRF (Cross‑Site Request Forgery) exploits a logged‑in user's credentials to send unauthorized requests on their behalf, such as triggering a bank transfer via an image tag: <img src="http://www.XXbank.com/Transfer.php?toUserId=250&money=1000"> .

File Upload Attacks allow attackers to upload executable files (e.g., webshells written in PHP, ASP, JSP) to the server and execute them, gaining control over the system.

File Inclusion Vulnerabilities arise when applications include files based on user‑controlled input without proper validation, leading to local (LFI) or remote (RFI) file inclusion and possible code execution.

Clickjacking uses a transparent iframe overlay to trick users into clicking hidden elements, performing actions the attacker desires.

URL Redirect Vulnerabilities occur when applications redirect to URLs supplied by user input without validation, potentially sending users to malicious third‑party sites.