You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Web applications are the most common attack surface in modern organisations. This lesson covers the OWASP Top 10 vulnerabilities, practical exploitation techniques, and the tools used by ethical hackers to test web application security.
The Open Web Application Security Project (OWASP) publishes the definitive list of critical web application security risks:
| Rank | Category | Description |
|---|---|---|
| A01 | Broken Access Control | Users acting beyond their permissions |
| A02 | Cryptographic Failures | Weak or missing encryption of sensitive data |
| A03 | Injection | SQL, NoSQL, OS, LDAP injection attacks |
| A04 | Insecure Design | Missing or ineffective security controls by design |
| A05 | Security Misconfiguration | Default configs, open cloud storage, verbose errors |
| A06 | Vulnerable Components | Using libraries with known vulnerabilities |
| A07 | Authentication Failures | Broken authentication and session management |
| A08 | Software and Data Integrity | Insecure CI/CD pipelines, unsigned updates |
| A09 | Security Logging Failures | Insufficient logging and monitoring |
| A10 | Server-Side Request Forgery | Application fetches attacker-controlled URLs |
SQL injection occurs when user input is inserted directly into SQL queries without sanitisation:
Normal login query:
SELECT * FROM users WHERE username = 'admin' AND password = 'secret123'
Injected query:
SELECT * FROM users WHERE username = 'admin' OR 1=1 --' AND password = ''
^^^^^^^^^^^
Injected payload
| Type | Description | Detection |
|---|---|---|
| In-band (Classic) | Results returned directly in the response | Error messages, changed output |
| Error-based | Database errors reveal information | Verbose error messages |
| Union-based | Use UNION to extract data from other tables | Additional data in response |
| Blind (Boolean) | No visible output; infer data from true/false responses | Different page behaviour |
| Blind (Time-based) | No visible output; infer data from response timing | Delayed responses |
| Out-of-band | Data exfiltrated via DNS or HTTP requests | External server interactions |
# Test a URL parameter for SQL injection
sqlmap -u "http://target.com/page?id=1" --dbs
# Enumerate databases
sqlmap -u "http://target.com/page?id=1" --dbs
# Dump a specific table
sqlmap -u "http://target.com/page?id=1" -D webapp -T users --dump
# Test a POST parameter
sqlmap -u "http://target.com/login" --data="username=admin&password=test" --dbs
XSS injects malicious scripts into web pages viewed by other users:
| Type | Persistence | Example |
|---|---|---|
| Reflected | Not stored; payload in URL or request | Search results reflecting user input |
| Stored | Stored in database; affects all viewers | Comment field with embedded script |
| DOM-based | Manipulates client-side JavaScript | URL fragment processed by JavaScript |
<!-- Basic alert test -->
<script>alert('XSS')</script>
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.