> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/5.-assets-threats-and-vulnerabilities/module-4/web-based-exploits.md).

# Web-based exploits

Imagine you’re working as a Security Analyst at a company that develops and maintains its own web applications for customers. Part of your job involves working closely with software developers, reviewing new features before they go live, monitoring for suspicious behavior in production systems, and regularly scanning the company’s web applications for vulnerabilities.

**On-the-Job Application of Cross-Site Scripting (XSS):**

1. **Detecting Suspicious Inputs During Code Reviews**:\
   Before a new web form or comment section goes live, you review the application’s code and notice that user inputs—like comments posted by users—are displayed back on the webpage without proper validation or sanitization. From your training on XSS, you know that this is a red flag. Attackers could insert malicious JavaScript into these fields, and when other users view the page, their browsers would run the attacker’s code.\
   On the job, you would:
   * Advise developers to implement proper input sanitization and use secure frameworks or libraries to automatically escape user-provided data.
   * Test these fields by attempting to inject harmless test scripts, confirming that the new input validation rules prevent any code from running.
2. **Monitoring Security Alerts and Logs**:\
   Suppose you have a web application firewall (WAF) or Intrusion Detection System (IDS) configured to monitor traffic. It starts flagging suspicious queries hitting a particular page. You see encoded script tags in URLs or query parameters—like `"><script>alert('xss')</script>`—that look like attempts to exploit reflected or DOM-based XSS.\
   On the job, you would:
   * Investigate those requests in detail, possibly identifying malicious IP addresses or user accounts repeatedly testing for vulnerabilities.
   * Work with developers to ensure that the vulnerable endpoint escapes dynamic content before returning it to the user’s browser.
   * Update WAF rules to block these suspicious requests pre-emptively.
3. **Responding to a Reported XSS Incident**:\
   Say a customer reports strange pop-ups when visiting their user profile page. You confirm it’s an XSS attack introduced through their public bio field. Attackers injected code that steals session cookies and sends them to a remote server.\
   On the job, you would:
   * Immediately remove the malicious payload from the database.
   * Invalidate existing user sessions so stolen cookies are no longer valuable to the attacker.
   * Implement or reinforce input sanitization for user bios.
   * Educate the development team about secure coding practices, such as using frameworks that handle output encoding by default.

**On-the-Job Application of SQL Injection Attacks:**

1. **Secure Coding Practices in the Development Cycle**:\
   Your company’s new e-commerce site lets users search for products by keyword. Before launch, you review the code and notice the backend query directly concatenates user input into an SQL statement, such as:

   ```sql
   sqlCopy codeSELECT * FROM products WHERE name LIKE '%" + userInput + "%';
   ```

   You know this is a prime opportunity for SQL injection. Attackers could enter a search term like `%' OR '1'='1` to extract sensitive data.\
   On the job, you would:

   * Recommend using parameterized queries or prepared statements, which safely separate code from data.
   * Ask the development team to implement input validation, ensuring only expected characters (letters, numbers, spaces) are allowed in search fields.
   * Review and test these changes using a vulnerability scanner or a tool like SQLMap to confirm the issue is resolved.
2. **Vulnerability Scanning and Penetration Testing**:\
   Regularly, you run automated scanning tools against your web applications. One scanner flags a potential SQL injection in a login form. The form accepts an email and password, and the scanner reports that entering certain special characters (`' OR 'a'='a`) bypasses authentication.\
   On the job, you would:
   * Attempt a controlled test to confirm the vulnerability (in a safe, non-production environment).
   * Once confirmed, collaborate with the development team to sanitize inputs and use prepared statements for the login query.
   * Update your vulnerability management process to ensure new code undergoes similar tests before deployment.
3. **Incident Response for Active SQL Injection Attack**:\
   Suppose alerts from your SIEM (Security Information and Event Management) system indicate unusual database queries running outside normal parameters. You find that an attacker is exploiting a product review form to run UNION queries and extract sensitive customer data.\
   On the job, you would:
   * Immediately block suspicious IP addresses and isolate the affected application to prevent further data leakage.
   * Instruct the database team to rotate credentials and review database logs for unauthorized queries.
   * Work closely with the development team to implement parameterized queries, escape user input, and enable strict input validation.
   * Document the incident, then add new automated tests to prevent similar issues in future code.

**Key Takeaways:**

* **Preventive Measures**: As a security professional, you inform developers about best practices for input validation, output encoding, and parameterized queries.
* **Detection and Monitoring**: You use tools like IDS/IPS, WAF, and vulnerability scanners to spot malicious attempts at XSS or SQL injection.
* **Incident Response**: If an attack succeeds, you rapidly respond by isolating the threat, removing malicious code, and updating security controls.
* **Continuous Improvement**: Every discovered vulnerability or successful attack leads to stronger security guidelines, improved code review processes, and better training for the development team.

In essence, understanding XSS and SQL injection is not just academic knowledge for you as a security analyst. It’s practical, everyday work that involves detecting and preventing these attacks in real-time, collaborating with developers to close security gaps, and ensuring that your company’s data—and your customers’ data—remains safe.
