Web application attacks
⏱ ~3-min readAceMark GuideWhat this topic is really about
Cross-site scripting injects attacker-controlled script that executes in another user's browser, enabling session theft or defacement. SQL injection targets the database, CSRF abuses an authenticated user's session to make requests, and directory traversal reads files outside the web root.
Concatenating untrusted input into a SQL query without prepared statements is the textbook SQL injection sink. CSRF tricks an authenticated user into making a request, XXE abuses XML parsers, SSRF makes the server fetch attacker-controlled URLs.
See the mechanism
Concatenating untrusted input into a SQL query without prepared statements is the textbook SQL injection sink. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
A web app concatenates user input directly into a SQL query without parameterization. What attack class does this enable?
- Identify what the question tests: A web app concatenates user input directly into a SQL query without parameterization..
- Concatenating untrusted input into a SQL query without prepared statements is the textbook SQL injection sink.
- CSRF tricks an authenticated user into making a request, XXE abuses XML parsers, SSRF makes the server fetch attacker-controlled URLs.
Traps the examiner sets
- Read each option carefully — distractors on Web application attacks are designed to look plausible.
- Re-check the exact wording of the question stem before committing to an answer.
- Watch the qualifiers ("always", "only", "except") that flip a correct-looking option.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Web application attacks and see it stick.
Practice more of this topic →