SQL Injection, Cross-Site Scripting (XSS), and Application Vulnerabilities

Application vulnerabilities are among the most critical risks in modern cybersecurity. SQL injection and cross-site scripting (XSS) are consistently at the top of the OWASP Top 10 and are heavily tested on the Security+ exam.

SQL Injection (SQLi)

SQL injection is a code injection technique where an attacker inserts malicious SQL statements into an application's input field. If the application doesn't properly validate input and constructs SQL queries by concatenating user input, the attacker can manipulate the query to read, modify, or delete database data.

Example: A login form constructs a query: SELECT * FROM users WHERE username = 'user' AND password = 'pass'. The attacker enters: ' OR '1'='1. The query becomes: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'. This bypasses authentication entirely because '1'='1' is always true.

SQL injection can extract entire databases, bypass authentication, execute administrative commands, and in some cases gain shell access to the database server.

  • Injects malicious SQL through unsanitized user input
  • Can read, modify, or delete database contents
  • Can bypass authentication entirely
  • Parameterized queries (prepared statements) are the primary defense
  • Input validation and least privilege database accounts reduce impact

Cross-Site Scripting (XSS)

XSS allows attackers to inject malicious scripts (usually JavaScript) into web pages viewed by other users. The injected script executes in the victim's browser with the same privileges as the legitimate site, allowing attackers to steal cookies, session tokens, or redirect users to malicious sites.

Reflected XSS — the malicious script is part of the request (e.g., in a URL parameter). The victim clicks a crafted link, the server reflects the script in the response, and the browser executes it. Most common in search boxes and error messages.

Stored (Persistent) XSS — the malicious script is stored on the server (e.g., in a comment, forum post, or profile field). Every user who views the page executes the script. More dangerous than reflected XSS because it affects multiple users without requiring them to click a malicious link.

DOM-based XSS — the vulnerability exists in client-side JavaScript that processes user input unsafely, without the server reflecting the payload.

  • Reflected XSS: script in URL parameter, server reflects it in response
  • Stored XSS: script saved on server, affects all visitors (more dangerous)
  • DOM-based XSS: client-side JS processes input unsafely
  • Defense: output encoding, Content Security Policy (CSP), input validation
  • XSS can steal cookies, redirect users, or deface websites

Other Application Vulnerabilities

Buffer Overflow — occurs when a program writes more data to a buffer than it can hold. The excess data overwrites adjacent memory, potentially corrupting data or allowing code execution. Common in C/C++ programs. Mitigation: modern OS protections (ASLR, DEP), safe coding practices, and bounds checking.

Race Condition — occurs when multiple processes access shared resources simultaneously and the outcome depends on the timing of execution. Time-of-check to time-of-use (TOCTOU) is a common race condition where a resource is checked and then used, but the state changes between check and use.

Directory Traversal — attacker accesses files outside the web root by using ../ sequences in file paths. Example: ../../etc/passwd. Mitigation: validate and sanitize file paths, use whitelists, run application with least privilege.

Zero-Day — a vulnerability that is unknown to the vendor and has no available patch. Zero-days are extremely valuable to attackers and are often used in targeted attacks.

  • Buffer overflow: writing beyond buffer bounds — leads to code execution
  • Race condition: timing-dependent, multiple processes accessing shared resources
  • TOCTOU: check state, then use — but state changes in between
  • Directory traversal: reading files outside web root
  • Zero-day: unknown vulnerability, no patch available — most dangerous

Preventing Application Attacks

Input validation — validate all user input on both client and server sides. Use allowlists (permit only known good input) rather than blocklists (block known bad input).

Parameterized queries — use prepared statements with parameter placeholders instead of string concatenation for SQL queries. This is the definitive defense against SQL injection.

Output encoding — encode data before rendering it in a browser to prevent XSS. Context matters: encode differently for HTML, JavaScript, CSS, and URLs.

Content Security Policy (CSP) — a browser security mechanism that restricts which scripts can execute on a page. Even if XSS is injected, CSP can prevent script execution.

OWASP Top 10 — the standard awareness document for application security risks. Security+ covers the critical risks: SQL injection, XSS, broken authentication, and security misconfiguration.

  • Input validation: use allowlists (whitelist) over blocklists (blacklist)
  • Parameterized queries: definitive SQL injection defense
  • Output encoding: context-specific encoding prevents XSS
  • CSP: browser-level defense that blocks unauthorized scripts
  • OWASP Top 10: the standard reference for web application risks

Exam Tip

SQL injection and XSS are the most tested application vulnerabilities. Know: SQLi targets databases (use parameterized queries), XSS targets browsers (use output encoding + CSP). Reflected vs Stored XSS: reflected is in the URL, stored is on the server. OWASP Top 10 is the standard reference.