📗 PHASE 2: Web Security Core (Month 3–4)

---

🔥 OWASP Top 10 (Very Important)

1️⃣ SQL Injection

Vulnerable code:

SELECT * FROM users WHERE username = '$user';

Attack:

' OR '1'='1

Fix:

• Prepared statements

• Parameterized queries

---

2️⃣ XSS (Cross-Site Scripting)

Stored XSS:

• Malicious script saved in DB

Reflected XSS:

• Injected via URL

Fix:

• Escape output

• Use Content Security Policy

---

3️⃣ CSRF

User logged in → attacker forces request.

Fix:

• CSRF tokens

---

4️⃣ Broken Authentication

Fix:

• Strong hashing (bcrypt)

• Secure session handling