LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

The threats facing a web application can be grouped by where along the path they strike — the user, the connection, or the server. What lands in each group, and why is that a useful map?

Three zones: the user is tricked or infected, the connection between user and server is intercepted or ridden, and the server is flooded or fed malicious input.

Sorting a scary list of threats by location turns it into a map — and the location tells you who has to defend it, because each zone fails for a different reason.

Zone Threats What they exploit
The user Social engineering, spear phishing, malware Human trust and the endpoint — no protocol flaw needed
The connection (user ↔ server) Man-in-the-middle, session hijacking, session fixation, CSRF Unauthenticated traffic and the browser auto-attaching cookies
The server SYN flood, IP spoofing, SQL injection, XSS The server accepting any connection and trusting its input

Quick gloss on the application-layer ones that target the server (covered in depth elsewhere):

  • SQL injection — unsanitised input changes the meaning of a database query (' OR 1=1 --).
  • Cross-site scripting (XSS) — attacker-supplied script runs in another user's browser under your site's origin.
  • CSRF (Cross-Site Request Forgery) — a third-party page makes the victim's browser fire an already-authenticated request to your site, abusing the cookies the browser sends automatically.

Tip: The zone names the fixer. User zone → awareness + endpoint security; connection zone → TLS everywhere + sane session/cookie handling; server zone → input validation, rate-limiting, and never trusting the network.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026