Web security encompasses the practices and controls that protect web applications from attacks that threaten confidentiality, integrity, and availability. In the modern threat landscape, where applications process sensitive data, connect across untrusted networks, and depend on vast third-party supply chains, defending against injection attacks, authentication bypasses, misconfigurations, and supply chain compromises is no longer optional—it's a fundamental engineering requirement. Understanding how attackers exploit common vulnerabilities like XSS, CSRF, SQL injection, and prototype pollution, and knowing the concrete patterns and headers that prevent them, equips developers to build systems that resist both automated scanning and targeted exploitation. The OWASP Top 10 2025 remains the authoritative reference for the most critical risks, with Broken Access Control, Security Misconfiguration, and Software Supply Chain Failures leading the updated list.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 177 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Injection Attack Types
Injection vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query, causing unintended execution. SQL injection and XSS dominate real-world exploitation, but server-side template injection and command injection can achieve full remote code execution — making injection flaws consistently the most damaging class of web vulnerabilities.
| Attack | Example | Description |
|---|---|---|
SELECT * FROM users WHERE id = '$input' | • Malicious SQL code inserted through user input manipulates database queries • prevented by parameterized queries and prepared statements. | |
<script>alert(document.cookie)</script> | Injection of malicious JavaScript into web pages viewed by other users, executing in the victim's browser context and enabling session theft and account takeover. | |
file.txt; rm -rf / | • Executes arbitrary OS commands through vulnerable system calls • prevented by avoiding shell execution and validating all input that reaches OS APIs | |
http://app.com/fetch?url=http://169.254.169.254/ | • Tricks the server into making requests to internal resources or cloud metadata endpoints • rolled into A01:2025 Broken Access Control by OWASP — requires URL allowlisting and internal IP blocking | |
{{7*7}} → 49 (Jinja2) | • User input rendered inside a server-side template engine executes arbitrary expressions, often achieving remote code execution • never pass raw user input to template renderers | |
<!DOCTYPE foo > | • Exploits XML parsers to access local files or trigger server-side requests • prevented by disabling external entity processing in XML parsers |