How web attacks work: the attacker's perspective
threat modeling, attack surface, trust boundaries, recon phase, exploit chain, defense in depth
The Attacker's Perspective
Every vulnerability follows the same pattern: an attacker finds a trust boundary your code crosses without verification. Understanding this pattern is more valuable than memorizing a list of CVEs.
The Exploit Chain
Attackers follow a predictable sequence. First, recon: they map your endpoints, frameworks, and error messages. Then they identify a weak trust boundary—a place where your code accepts input from an untrusted source (user, URL, database, third-party API) and acts on it without validation. Finally, they craft a payload that exploits that gap.
A SQL injection happens because code trusts user-supplied strings as SQL. An XSS happens because code trusts user input as safe HTML. An SSRF happens because code trusts a user-supplied URL without checking if it points internally.
Threat Modeling in 3 Steps
Before writing any feature, ask three questions. Who are the users of this data flow? What can go wrong at each step? How would I detect or prevent it?
This is called STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). You don't need to memorize the acronym—you need the habit of asking what-can-go-wrong at every input boundary.
Defense in Depth
No single control stops all attacks. Layer your defenses: validate input, encode output, enforce least privilege, log anomalies, and set security headers. If one layer fails, the next catches it.