Code of the Day
AdvancedSecurity Fundamentals

Common vulnerabilities

The recurring flaws — injection, XSS, and friends — and the habits that prevent them.

FundamentalsAdvanced9 min read
Recommended first
By the end of this lesson you will be able to:
  • Recognise injection and cross-site scripting
  • Explain why they share one root cause — mixing data with code
  • Apply the standard defenses

A handful of vulnerability classes account for an enormous share of real breaches. You don't need to memorise an encyclopedia — but you must recognise these, because they're easy to introduce and well understood to prevent. Strikingly, the biggest two share a single root cause: untrusted data being treated as code.

Injection (e.g. SQL injection)

happens when user input is concatenated into a command — a SQL query, a shell command — and the input is crafted to change the command's meaning:

# DANGEROUS — the input becomes part of the query
db.execute("SELECT * FROM users WHERE name = '" + name + "'")
# name = "'; DROP TABLE users; --"  → catastrophe

The fix is to never build commands by string concatenation. Use parameterised queries, which send the data separately from the command so it can never be interpreted as code:

db.execute("SELECT * FROM users WHERE name = ?", [name])   # safe

Cross-site scripting (XSS)

XSS is the same bug in the browser: untrusted input rendered into a page as HTML/JavaScript runs in your users' browsers. An attacker's <script> in a comment field can steal sessions or act as the victim.

The fix is the same shape: treat data as data. Escape user content on output so it renders as text, not markup. Modern frameworks (React and friends) escape by default — the danger is the "insert raw HTML" escape hatches, which you should avoid for untrusted content.

The unifying lesson

Injection and XSS are one idea: keep data and code separate. Parameterised queries and output escaping are both ways of saying "this is data, never execute it." Hold that principle and you've understood the most important vulnerability class there is.

A few more to know by name: CSRF (forged requests from a logged-in user's browser — use anti-CSRF tokens), and insecure direct object references (accessing /orders/123 that isn't yours — the bug from the auth lesson).

The OWASP Top 10 is the industry's regularly-updated list of the most critical web vulnerabilities. Skimming it is one of the highest-value hours a developer can spend — and a perfect "read the docs" exercise.

Where to go next

That completes Security Fundamentals. Next module: Distributed Systems — the new failure modes that appear once a system spans more than one machine.

Finished reading? Mark it complete to track your progress.

Secrets and dependencies

Protect credentials, and manage the risk that comes with other people's code.

Lab: spot the vulnerability

Apply the security mindset — injection, password storage, and authorization.

On this page

Injection (e.g. SQL injection)Cross-site scripting (XSS)The unifying lessonWhere to go next