โ† Security Fundamentals

Common Vulnerabilities

~310 words ยท 2 min read

SQL injection

When you glue user input directly into a SQL string, an attacker can break out and run their own queries:

// VULNERABLE โ€” string concatenation
query("SELECT * FROM users WHERE name = '" + input + "'")

// Attacker enters:  alice'--
// Becomes:  SELECT * FROM users WHERE name = 'alice'--'
// (the -- comments out the rest, bypassing the password check)

Fix: use parameterized queries. The database sends the SQL structure and the values separately, so input can never alter the query's logic:

query("SELECT * FROM users WHERE name = ?", [input])

Cross-site scripting (XSS)

XSS is injecting hostile HTML or JavaScript into a page viewed by other users โ€” for example, posting a comment containing <script> that runs in every visitor's browser.

  • Stored XSS โ€” the payload is saved (e.g. in a comment) and served to others.
  • Reflected XSS โ€” the payload comes from a URL parameter echoed back.

Fix: output encoding. Escape user-supplied data before rendering it, so <script> becomes harmless text. Modern frameworks (React, Vue) escape by default.

The rule: never insert raw user input into HTML. Treat all input as hostile until encoded.

Cross-site request forgery (CSRF)

CSRF tricks a logged-in user's browser into making a request to a site where they're authenticated โ€” like a forged form that transfers money. The browser happily attaches the session cookie, so the request looks legit.

Fix: CSRF tokens. The server embeds a secret token in each form and rejects requests that don't include it. An attacker's site can't read the token (same-origin policy), so its forged requests fail.