The threats facing a web application can be grouped by where along the path they strike — the user, the connection, or the server. What lands in each group, and why is that a useful map?
Three zones: the user is tricked or infected, the connection between user and server is intercepted or ridden, and the server is flooded or fed malicious input.
Sorting a scary list of threats by location turns it into a map — and the location tells you who has to defend it, because each zone fails for a different reason.
| Zone | Threats | What they exploit |
|---|---|---|
| The user | Social engineering, spear phishing, malware | Human trust and the endpoint — no protocol flaw needed |
| The connection (user ↔ server) | Man-in-the-middle, session hijacking, session fixation, CSRF | Unauthenticated traffic and the browser auto-attaching cookies |
| The server | SYN flood, IP spoofing, SQL injection, XSS | The server accepting any connection and trusting its input |
Quick gloss on the application-layer ones that target the server (covered in depth elsewhere):
- SQL injection — unsanitised input changes the meaning of a database query (
' OR 1=1 --). - Cross-site scripting (XSS) — attacker-supplied script runs in another user's browser under your site's origin.
- CSRF (Cross-Site Request Forgery) — a third-party page makes the victim's browser fire an already-authenticated request to your site, abusing the cookies the browser sends automatically.
Tip: The zone names the fixer. User zone → awareness + endpoint security; connection zone → TLS everywhere + sane session/cookie handling; server zone → input validation, rate-limiting, and never trusting the network.