ning for the Cybersecurity Practitioner Support Associate (CPSA). From here on, it’s down to self-study, hands-on practice, and personal discipline — and I’m ready for it.
We wrapped up the last part of the Web Applications and Sites module with a deep dive into key web-based attack techniques that every cybersecurity professional must understand.
Cross-Site Scripting (XSS) Attacks
We explored the three main types of XSS attacks:
- Reflected XSS – Payloads are reflected immediately off the web server and back to the user.
- Stored XSS – Malicious scripts are stored on the server (e.g., in a comment or message) and executed when someone else loads the page.
- DOM-based XSS – The attack is triggered entirely on the client side by manipulating the DOM through JavaScript.
Each method was broken down, showing how they’re exploited and more importantly, how they can be prevented.
Injection Attacks
We moved into various injection techniques, including:
- SQL Injection
- LDAP Injection
- Code Injection
- XML Injection
- Command Injection
All of these rely on improper input sanitisation and user data being trusted without validation. Real-world examples showed just how quickly an application can be compromised when these vulnerabilities exist.
Session Handling & Database Security
Next up was session handling — learning how session IDs can be stolen or manipulated, leading to unauthorised access or session fixation attacks.
We also explored different database systems, how they operate, and their potential attack surfaces:
- Microsoft SQL Server (MSSQL)
- Default Port: 1433 / 1434
- Hidden Mode : 2433
- MySQL
- Default Port: 3306
- Oracle DB
- Default Port: 1521
Understanding these ports is essential during reconnaissance and scanning phases.
Getting Hands-On: Metasploitable 2 & FTP Attacks
With an hour or two left, we fired up a VM running Metasploitable 2, a vulnerable-by-design OS used for practicing attacks.
We targeted the FTP service, experimenting with:
- Username/password brute-force attacks
- Privilege escalation attempts to gain root access
This part was a real eye-opener, seeing how quickly an attacker can go from login to full system control really reinforces the importance of good configurations and security hygiene.
VMs are a must-have for any serious learner, and Metasploitable 2 is an absolute classic. It’s basically a playground for offensive security skills.
So What Now?
Now it’s time to level up.
- Book my Security+ exam – I think I’m ready.
- Actually start learning the CPSA content – Up to now, I’ve mostly listened to the online sessions. Now comes the real study.
- Join the weekly Study Buddy group run by Optima , time to engage and stay accountable.
- Register with Hack The Box — it’s hands-on, practical, and perfect for learning real-world skills.
- Explore PortSwigger.net — home of the Web Security Academy, which offers brilliant labs and walkthroughs for understanding web app attacks.
This CPSA journey is just beginning.