Cross-Site Request Forgery (CSRF)
A vulnerability where an attacker forces an authenticated browser to send unauthorized state-changing requests to a web application.
Common Internet Security
A practical series on common web and network attacks, how they work, and how to defend against them.
Each chapter includes a short explanation, an attack-flow diagram, and a checklist of best practices.
Cross-Site Scripting (XSS)
A code injection attack where malicious scripts are executed in a trusted victim's browser context.
SQL Injection (SQLi)
An injection attack that allows an attacker to interfere with the queries an application makes to its database.
NoSQL Injection
An injection vulnerability targeting NoSQL databases by manipulating query structures or logic using malicious objects.
OS Command Injection
A critical vulnerability where an attacker executes arbitrary operating system (OS) commands on the server via vulnerable application code.
Distributed Denial of Service (DDoS)
A malicious attempt to disrupt normal traffic of a targeted server by overwhelming it with a flood of Internet traffic.
Brute Force Attacks
A trial-and-error method used to guess login credentials or encryption keys.
Credential Stuffing
An automated attack where stolen username/password pairs from one breach are tested against other websites.
Session Hijacking
The exploitation of a valid session control mechanism to gain unauthorized access to a user's session.
Insecure Direct Object Reference (IDOR)
A vulnerability where an application exposes a reference to an internal object (like a file or database key) without verifying authorization.
Broken Access Control
Failures in enforcing policy that allow users to act outside of their intended permissions.
File Upload Vulnerabilities
Attacks where malicious files are uploaded to a server to execute code (Web Shell) or bypass security controls.
Directory Traversal
An HTTP attack which allows attackers to access restricted directories and read (or sometimes write) files outside of the web server's root directory.
Server-Side Request Forgery (SSRF)
An attack where an attacker abuses server functionality to make requests to unintended locations, often targeting internal services.
Clickjacking (UI Redress Attack)
A visual deception attack where users are tricked into clicking on hidden elements by overlaying transparent iframes on legitimate-looking content.
Phishing Attacks
Social engineering attacks that use deceptive communications to trick victims into revealing sensitive information or installing malware.
Man-in-the-Middle (MITM) Attack
An attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they are communicating directly.
Open Redirect Vulnerability
A vulnerability where a web application accepts user-controlled input to redirect users to external URLs, enabling phishing and trust abuse.
XML External Entity (XXE) Injection
An attack that exploits XML parsers to process external entity references, leading to file disclosure, SSRF, or denial of service.
Insecure Deserialization
A vulnerability where untrusted data is used to abuse the logic of an application's deserialization process, often leading to remote code execution.
JWT (JSON Web Token) Attacks
Attacks targeting vulnerabilities in JWT implementation, including algorithm confusion, weak secrets, and improper validation.
Subdomain Takeover
An attack where an attacker gains control of a subdomain by claiming abandoned cloud resources that the DNS still points to.