3.5.15 - 3.5.17 XSS, CSRF, and SQL Injection - Input Vliadation

Cross Site Scripting (XSS)

Attack where malicious scripts are injected into otherwise trusted websites and executed by a visitor’s browser. Target is the browser. Types: Stored/Persistent, Reflective, DOM. CH: Browser-targeted; mitigated by server-side input validation + WAF.

Cross Site Request Forgery (CSRF)

Attack that forces an authenticated user to execute unwanted actions on a web app in which they’re logged in. Target is the server. Needs a valid session cookie. Affects one user at a time. Not persistent. CH: Server-side attack exploiting user’s authenticated session.

SQL Injection

Attack where unvalidated user input is passed directly to a database and executed, allowing arbitrary SQL commands. Never pass unvalidated data. CH: Exploits input validation failures; target is database.

Input Validation

Sanitizing and verifying user input to prevent injection or script attacks by removing or encoding malicious code or special characters. CH: Primary defense against web injection attacks.

Stored / Persistent XSS

Malicious script is permanently stored on a server (e.g., database, comment field) and served to multiple users. CH: Stored script executes for all visitors. Persistent; affects many victims. Target is browser.

Reflective XSS

Malicious script embedded in a URL or request is immediately reflected back by the web server and executed in the victim’s browser. CH: One-time reflected script attack. Not persistent; affects one victim. Target is browser.

DOM-based XSS

Attack where malicious code modifies the Document Object Model in the browser (client-side) rather than being processed by the server. CH: Client-side XSS exploiting DOM. Not persistent. Target is browser.

Preventing XSS

Use server-side input validation, encode output, apply Content Security Policy (CSP), and deploy a Web Application Firewall (WAF). CH: Server-side validation + WAF

Preventing CSRF

Use anti-CSRF tokens, verify request origins (Referer/Origin), implement same-site cookie attributes, and require re-authentication for sensitive actions. CH: Token validation prevents forged requests.

Preventing SQL Injection

Never pass unvalidated data; use prepared statements/parameterized queries, stored procedures, and least-privilege DB accounts. CH: Parameterized queries stop injection.

Prepared Statement / Parameterized Query

SQL technique that separates SQL code from data using placeholders so inputs are treated strictly as data, not executable code. CH: Prevents SQL injection by disallowing injected SQL.

Document Object Model (DOM)

A structured, hierarchical representation of a web page that browsers create when loading HTML and JavaScript. It defines all elements (like forms, links, and scripts) as objects that can be dynamically read or modified by client-side code. CH: Browser’s live model of a web page—can be manipulated by scripts.

CSRF Token

Random, unique value generated by a web application and embedded in forms or requests to verify that the request came from the legitimate user’s browser session. Prevents Cross-Site Request Forgery attacks by confirming request authenticity. CH: One-time token proves request is from the real user.