Web Application Vulnerabilities

Answer: SQL Injection happens when user input is used in database queries without safe handling. Attackers can change query logic to read, modify, or delete data. Parameterized queries (prepared statements) and validation help prevent it.

Tip: Say “prepared statements/parameterized queries.”

Answer: XSS allows attackers to run JavaScript in a victim’s browser because the app outputs unsafe input. It can steal session data, perform actions as the user, or alter page content. Output encoding and Content Security Policy (CSP) are common protections.

Tip: Know types: stored, reflected, DOM-based.

Answer: CSRF tricks a user’s browser into sending a request they didn’t intend while authenticated. It works because browsers automatically include cookies with requests. CSRF tokens and SameSite cookies help prevent it.

Tip: Explain “browser sends cookies automatically.”

Answer: IDOR happens when an app exposes object IDs without enforcing authorization checks. Attackers can change identifiers (like userId=123) to access other users’ data. The fix is consistent server-side access control.

Tip: Say: “AuthN is not AuthZ.”

Answer: Command injection occurs when user input is passed into system commands unsafely. Attackers can run additional commands on the server and potentially gain control. Using safe APIs and strict validation reduces risk.

Tip: Mention “avoid shelling out when possible.”

Answer: Directory traversal uses sequences like ../ to access files outside an allowed folder. It can expose configs, keys, or source code. Proper path normalization and allowlisting prevent this.

Tip: Mention blocking ../ and normalizing paths.

Answer: Broken authentication includes weak login/session handling like no rate limits, weak passwords, or insecure session tokens. It can lead to account takeover and unauthorized access. Strong session management, MFA, and lockout controls help.

Tip: Mention rate limiting + MFA + secure sessions.

Answer: Broken access control is when users can access data or actions they should not. It includes IDOR, missing role checks, and privilege misuse. Strong server-side authorization checks are required for every request.

Tip: Mention “deny by default” approach.

Answer: If uploads aren’t validated, attackers might upload malicious or executable content. This can lead to remote code execution or defacement. Defenses include allowlisted types, scanning, and storing uploads outside web root.

Tip: Validate MIME + content, not just file extension.

Answer: OWASP Top 10 is a widely used list of the most common web application security risks. It helps guide testing and secure development priorities. Junior pentesters should know it as a baseline framework.

Tip: Mention using it to guide testing + reporting.