Security in Web Applications Cheat Sheet

Updated 2026-04-27

Security in web applications protects digital assets from threats spanning injection attacks, broken authentication, data exposure, and misconfigurations. Modern web security operates at multiple layers—from transport encryption and input validation to session management and access control. The OWASP Top 10 2025 remains the definitive reference, with Broken Access Control at #1, Security Misconfiguration rising to #2, and new categories covering software supply chain failures and error handling. Effective security requires defense in depth, continuous monitoring, and awareness of emerging threats including API abuse, LLM prompt injection, and prototype pollution.

What This Cheat Sheet Covers

This topic spans 18 focused tables and 165 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Common Injection AttacksTable 2: Authentication and AuthorizationTable 3: Input Validation and SanitizationTable 4: Session ManagementTable 5: Cross-Site Request Forgery (CSRF) ProtectionTable 6: Transport and CryptographyTable 7: Security HeadersTable 8: API SecurityTable 9: File Upload SecurityTable 10: Access ControlTable 11: Secure Development PracticesTable 12: Logging and MonitoringTable 13: Vulnerability Types and MitigationsTable 14: Directory and Path SecurityTable 15: Cloud and Infrastructure SecurityTable 16: Advanced Attack TechniquesTable 17: Secure ConfigurationTable 18: Modern Security Challenges

Table 1: Common Injection Attacks

Vulnerability	Example	Description
SQL Injection	`SELECT * FROM users WHERE id = '` + userInput	• Attacker inserts malicious SQL via user input, potentially reading, modifying, or deleting database data • use parameterized queries
Cross-Site Scripting (XSS) - Stored	`<script>...</script>` saved to database	• Malicious script persists in the database and executes in every viewer's browser • most dangerous XSS variant
Cross-Site Scripting (XSS) - Reflected	`<script>alert(document.cookie)</script>` in URL param	Malicious script injected via request is immediately reflected in the response and executes in the victim's browser
Cross-Site Scripting (XSS) - DOM-based	`document.write(location.hash)`	• Vulnerability in client-side JavaScript processes untrusted data • payload never reaches the server
Command Injection	`system("ping " + userInput)`	Attacker executes arbitrary OS commands by injecting shell metacharacters into application inputs
Server-Side Request Forgery (SSRF)	`fetch("http://169.254.169.254/metadata")`	Tricks server into making requests to internal resources or cloud metadata endpoints, exposing credentials

Table 1: Common Injection Attacks

Vulnerability	Example	Description
SQL Injection	`SELECT * FROM users WHERE id = '` + userInput	• Attacker inserts malicious SQL via user input, potentially reading, modifying, or deleting database data • use parameterized queries
Cross-Site Scripting (XSS) - Stored	`<script>...</script>` saved to database	• Malicious script persists in the database and executes in every viewer's browser • most dangerous XSS variant
Cross-Site Scripting (XSS) - Reflected	`<script>alert(document.cookie)</script>` in URL param	Malicious script injected via request is immediately reflected in the response and executes in the victim's browser
Cross-Site Scripting (XSS) - DOM-based	`document.write(location.hash)`	• Vulnerability in client-side JavaScript processes untrusted data • payload never reaches the server
Command Injection	`system("ping " + userInput)`	Attacker executes arbitrary OS commands by injecting shell metacharacters into application inputs
Server-Side Request Forgery (SSRF)	`fetch("http://169.254.169.254/metadata")`	Tricks server into making requests to internal resources or cloud metadata endpoints, exposing credentials