Understanding Common Web Security Threats: SQL Injection, CSRF, HTTPS, and XSS

Understanding Common Web Security Threats: SQL Injection, CSRF, HTTPS, and XSS

Securing web applications requires a solid understanding of the most common attack vectors that target modern software systems. This blog post explains four essential security threats: SQL Injection, Cross-Site Request Forgery (CSRF), HTTPS, and Cross-Site Scripting (XSS) — including what they are, how they work, and how to prevent them in real-world development.

 

What is SQL Injection

SQL Injection is a vulnerability where attackers manipulate SQL queries by injecting malicious input into user fields. This can lead to unauthorized access, data leaks, or full control over a database.

Example:

// Vulnerable code

string query = "SELECT * FROM Users WHERE Username = '" + userInput + "'";

If the input is ' OR '1'='1, the query becomes:
SELECT * FROM Users WHERE Username = '' OR '1'='1', which returns all users in the table.

How to Prevent It:

  • Use parameterized queries:

·       var command = new SqlCommand("SELECT * FROM Users WHERE Username = @username", connection);

·       command.Parameters.AddWithValue("@username", userInput);

  • Use ORM frameworks like Entity Framework Core or Dapper

 

What is CSRF (Cross-Site Request Forgery)

CSRF is an attack that tricks authenticated users into submitting unwanted actions on a website they’re logged into. It exploits the browser’s ability to send cookies automatically.

Example:
A logged-in user on bank.com visits a malicious website. That website makes a hidden request to bank.com/transfer?amount=10000, and the browser automatically includes the user’s session cookie.

How to Prevent It:

  • Use anti-forgery tokens in forms
  • Validate tokens server-side
  • Enable SameSite on cookies
  • Require re-authentication for sensitive operations

 

What is HTTPS

HTTPS (HyperText Transfer Protocol Secure) is the secure version of HTTP. It encrypts the communication between client and server using TLS (Transport Layer Security), protecting data from being intercepted or tampered with during transmission.

Why HTTPS Matters:

  • Encrypts sensitive data like login credentials and tokens
  • Protects against man-in-the-middle attacks
  • Boosts application trust and SEO rankings

How to Implement It:

  • Obtain an SSL certificate from a trusted Certificate Authority
  • Redirect HTTP to HTTPS using server configuration or middleware
  • In ASP.NET Core:

·       app.UseHttpsRedirection();

 

What is XSS (Cross-Site Scripting)

XSS is a vulnerability where attackers inject malicious scripts into web pages. When other users view the page, their browsers execute the script, which can steal data, hijack sessions, or manipulate the page.

Example:
If a comment field allows this input:

<script>alert('Hacked');</script>

and renders it directly in the HTML without sanitization, all visitors will trigger the alert script.

Types of XSS:

  • Stored XSS: Script is saved in the database and rendered for every viewer.
  • Reflected XSS: Script is in the URL or request and reflected back in the response.
  • DOM-based XSS: Script is injected into the page via JavaScript.

How to Prevent It:

  • Escape and encode all user-generated content
  • Use safe rendering methods (e.g., Angular’s interpolation {{ value }} auto-escapes)
  • Avoid using innerHTML with untrusted data
  • Use security-focused frameworks that handle sanitization by default

 

Final Thoughts

Understanding and addressing these common threats—SQL Injection, CSRF, HTTPS vulnerabilities, and XSS—is crucial for building secure applications. Security should be considered from the start of development, embedded in both frontend and backend layers.

Applying secure coding principles proactively leads to safer, more reliable, and trustworthy applications. 

Comments

Post a Comment

Popular posts from this blog

Multiline to singleline IN C# - CODING

Multiline to singleline IN C# - CODING using System; using System.Linq; class Program {     static void Main(string[] args)     {         string input = @"This is                  multiline";                  // Split the input into lines, trim each line, and filter out empty lines         string result = string.Join(" ", input.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries)                                                .Select(line => line.Trim()));         Console.WriteLine(result);     } } Output: This is  multiline
Read more

EF Core interview questions for beginners

1. What is Entity Framework Core (EF Core)? EF Core is an open-source Object-Relational Mapper (ORM) that enables .NET developers to work with databases using .NET objects. It allows you to interact with a database using strongly typed classes and LINQ queries, rather than writing raw SQL queries. EF Core supports various database providers, such as SQL Server, SQLite, PostgreSQL, MySQL, and more. 2. What are the advantages of using EF Core over traditional ADO.NET? Productivity:  EF Core allows you to work with databases using high-level objects, reducing the amount of boilerplate code you need to write. Cross-platform:  EF Core supports multiple databases and works on Windows, Linux, and macOS. LINQ Support:  You can query the database using LINQ, which is more type-safe and easier to maintain than raw SQL queries. Code-First & Database-First:  EF Core supports both approaches to model databases. Change Tra...
Read more

EF Core interview questions for experienced

EF Core interview questions for experienced 1. What are the main differences between Entity Framework (EF) and Entity Framework Core (EF Core)? EF Core is a complete rewrite of EF. Unlike EF, EF Core supports cross-platform development, improved performance, LINQ query translation, and has a more modular architecture. EF Core does not support all features that EF 6 does (like lazy loading and some database providers). 2. How does EF Core handle migrations, and what are some common pitfalls? EF Core uses migrations to update the database schema based on model changes. Common pitfalls include not applying migrations correctly, misalignment between model and database state, or missing/overwriting migrations during collaboration in a team environment. 3. Explain the difference between Add and Attach methods in EF Core. Add method is used to add a new entity to the context and mark it as Added , while Attach attaches an existing entity to the context with no changes. The Attach meth...
Read more