📘Cisco DevNet Associate (200-901 DEVASC)
Understanding OWASP and Its Threats
OWASP stands for Open Web Application Security Project. It’s an organization that identifies the most common and critical security risks for web applications. Knowing OWASP threats is important for developers and DevOps professionals because it helps secure applications against attacks.
Here, we will focus on three major threats: XSS, SQL Injection, and CSRF.
1. Cross-Site Scripting (XSS)
What is XSS?
XSS (Cross-Site Scripting) happens when a web application allows attackers to inject malicious scripts (usually JavaScript) into web pages that other users view. These scripts can steal user data, like session tokens, or perform actions on behalf of the user.
How It Works in IT
- Suppose a web application lets users post comments.
- If the app doesn’t validate or escape user input, an attacker can insert a script into the comment.
- When other users view that comment, the script runs in their browser.
Types of XSS
- Stored XSS: Malicious script is saved in the server (e.g., database) and served to users every time the page loads.
- Reflected XSS: Malicious script is part of a URL or request and only runs when a user clicks that link.
- DOM-based XSS: The browser executes scripts based on changes to the HTML DOM, without server interaction.
Prevention
- Validate and sanitize all user inputs.
- Escape HTML characters like
<,>,&when displaying user data. - Use security libraries or frameworks that automatically handle escaping.
2. SQL Injection (SQLi)
What is SQL Injection?
SQL Injection occurs when a web application allows an attacker to execute malicious SQL statements in the database. This can give attackers access to sensitive data, like usernames, passwords, or confidential records.
How It Works in IT
- Example: A login form asks for username and password.
- If the app directly inserts user input into an SQL query without checks: SELECT * FROM users WHERE username = ‘user_input’ AND password = ‘user_input’;
- An attacker can enter something like
' OR '1'='1to bypass authentication or access all data.
Impact
- Unauthorized access to data.
- Deletion or modification of records.
- Full compromise of the database in severe cases.
Prevention
- Use parameterized queries or prepared statements instead of concatenating user input.
- Limit database permissions for application accounts.
- Regularly validate input and use ORM frameworks that handle SQL safely.
3. Cross-Site Request Forgery (CSRF)
What is CSRF?
CSRF (Cross-Site Request Forgery) tricks a user into performing actions on a web application where they are already authenticated, without their knowledge.
How It Works in IT
- A user is logged into their banking app in one browser tab.
- An attacker sends the user a specially crafted link via email or website.
- If the user clicks it, the browser executes an action (like transferring money) using the user’s session.
Prevention
- Use CSRF tokens in forms. Each request from a user should include a unique, secret token.
- Require re-authentication for sensitive actions.
- Verify the Origin or Referer header of requests to ensure they come from your app.
Summary Table of Threats
| Threat | What it does | How attackers exploit | Prevention |
|---|---|---|---|
| XSS | Injects malicious scripts into web pages | Malicious script runs in other users’ browsers | Sanitize/escape input, use security libraries |
| SQL Injection | Executes malicious SQL in database | Attacker inputs SQL code in forms or URLs | Use prepared statements, parameterized queries, input validation |
| CSRF | Tricks authenticated users to perform unwanted actions | Attacker sends crafted requests while user is logged in | Use CSRF tokens, re-authenticate sensitive actions |
Key Exam Tips
- Focus on understanding the attack mechanism, not just the name.
- Always remember prevention strategies — Cisco exams often ask about securing applications.
- Recognize real IT examples:
- XSS → stealing session cookies on web apps like dashboards.
- SQLi → accessing a customer database via vulnerable search forms.
- CSRF → performing bank transfers or changing user profiles without permission.
This explanation covers everything you need for the exam section on OWASP top threats. Students who understand how the attacks work and how to prevent them are well-prepared to answer any related questions.
