What is the single most effective defense against SQL injection?

Using parameterized queries (prepared statements), which send the SQL structure and the user-supplied values separately so input can never be interpreted as part of the query. This keeps code and data distinct and neutralizes the attack class.

How is cross-site scripting different from SQL injection?

Both stem from untrusted input, but SQL injection targets the server's database, while cross-site scripting injects malicious script that runs in other users' browsers within the trusted site. SQLi steals or alters server data; XSS hijacks user sessions and actions.

Web Application Security

Web application security addresses the vulnerabilities specific to web software — injection, cross-site scripting, broken authentication, and access-control flaws — which are among the most common and impactful in modern systems.

PaperMind দিয়ে বিষয় খুঁজুনশীঘ্রইFind papers & topics

Tools & resources

স্লাইড ডাউনলোড করুন

Learn & explore

ভিডিওশীঘ্রই

Definition

Web application security is the practice of protecting web-based software and its users from attacks that exploit the application's handling of input, sessions, authentication, and access control, as well as weaknesses in the browser security model.

Scope

This topic covers the threat model of web applications (untrusted client, hostile network, multi-tenant servers) and its characteristic vulnerability classes: injection (SQL and command), cross-site scripting, cross-site request forgery, broken access control and authentication, and insecure deserialization. It covers the browser security model (same-origin policy, content security policy) and standard defenses. It excludes low-level memory exploitation and general secure-development process, treated in sibling topics.

Core questions

Why does mixing untrusted input with code or queries create injection vulnerabilities?
How do cross-site scripting and cross-site request forgery attack a site's users?
How does the browser's same-origin policy constrain what web code can do?
How are authentication, sessions, and access control commonly broken in web apps?
What standard defenses prevent the most prevalent web vulnerabilities?

Key concepts

SQL and command injection
cross-site scripting (XSS)
cross-site request forgery (CSRF)
broken access control
broken authentication and session management
same-origin policy
content security policy
parameterized queries
OWASP Top Ten

Key theories

Injection and the code/data confusion: Injection flaws (SQL injection, command injection) arise when untrusted input is interpreted as code; the defense is to keep data and code separate, principally via parameterized queries and strict output encoding.
Browser security model and client-side attacks: The same-origin policy isolates content from different origins, but cross-site scripting injects attacker script into a trusted page and cross-site request forgery abuses a user's authenticated session; defenses include output encoding, content security policy, and anti-CSRF tokens.

Mechanisms

SQL injection occurs when user input is concatenated into a query, letting an attacker alter its logic; parameterized queries fix this by binding input as data. Cross-site scripting injects script into a page that other users' browsers then execute, mitigated by context-aware output encoding and content security policy. Cross-site request forgery tricks an authenticated browser into making unwanted requests, defended with anti-CSRF tokens and SameSite cookies. Access-control flaws arise when the server fails to check authorization on each request.

Clinical relevance

Web application vulnerabilities cause many of the largest data breaches: SQL injection and broken access control have exposed billions of records, and cross-site scripting routinely compromises user accounts. Because nearly all services have a web interface, web security directly affects e-commerce, banking, healthcare portals, and government systems, and it anchors penetration testing, bug-bounty programs, and compliance regimes like PCI-DSS.

Evidence & guidelines

The OWASP Top Ten is the de facto reference for prevalent web risks, complemented by the OWASP Application Security Verification Standard (ASVS) and cheat sheets. Browser-enforced defenses (Content Security Policy, SameSite cookies, Subresource Integrity) are standardized by the W3C and WHATWG. Compliance frameworks such as PCI-DSS mandate web-security controls for systems handling payment data.

History

Web application security grew with the dynamic web of the late 1990s and 2000s, as databases and user input created injection and scripting flaws. The OWASP Top Ten (first released 2003) standardized awareness of the most critical risks. Browser-side defenses evolved through the same-origin policy and, later, Content Security Policy, while landmark breaches repeatedly demonstrated the real-world cost of SQL injection and broken access control.

Key figures

Dafydd Stuttard
Ross Anderson
Jeremiah Grossman
Michal Zalewski

Seminal works

stuttard2011
owasp2021
anderson2020

Frequently asked questions

What is the single most effective defense against SQL injection?: Using parameterized queries (prepared statements), which send the SQL structure and the user-supplied values separately so input can never be interpreted as part of the query. This keeps code and data distinct and neutralizes the attack class.
How is cross-site scripting different from SQL injection?: Both stem from untrusted input, but SQL injection targets the server's database, while cross-site scripting injects malicious script that runs in other users' browsers within the trusted site. SQLi steals or alters server data; XSS hijacks user sessions and actions.