0 / 10 flipped
SQL Injection β Bypass Mechanism
Tap to reveal
An attacker enters
admin' -- as a username. The single quote closes the string literal in the SQL query; the double-dash begins a SQL comment, discarding everything that follows β including the password check. The query becomes: SELECT * FROM users WHERE username='admin' --' AND password='anything'. The password clause is gone. The database returns the admin record; authentication succeeds with no password. Root cause: user input concatenated directly into the SQL string. Primary defense: parameterized queries β user input is always treated as a data value, never as SQL syntax.Parameterized Query β Why It Prevents SQLi
Tap to reveal
A parameterized query sends the query structure and user-supplied values as separate elements to the database engine. The
? placeholder is always interpreted as a data slot β never as SQL syntax. If an attacker supplies admin' --, the database searches for a user whose username is literally the string admin' --. No SQL command injection is possible. This is architectural prevention, not a filter that might be bypassed. Input validation and WAFs are secondary layers β only parameterized queries eliminate the injection vector completely. Also called prepared statements.Buffer Overflow β How Code Execution Happens
Tap to reveal
A function allocates a fixed-size buffer for input. If the program writes more bytes than the buffer holds β and performs no bounds checking β excess bytes overwrite adjacent memory, including the return address the CPU will jump to when the function ends. A random overflow overwrites the return address with garbage and the application crashes. An exploitable overflow requires the attacker to: (1) know the exact offset from buffer start to return address; (2) place shellcode at a known address; (3) overwrite the return address with precisely that address. When the function returns, the CPU jumps to the shellcode. Arbitrary code execution is achieved with the application's privileges.
DEP β Data Execution Prevention
Tap to reveal
An OS and CPU-level feature that marks memory regions as either executable (code) or non-executable (data). Code in a non-executable region is rejected by the CPU. DEP directly addresses shellcode-in-buffer exploitation: even if an attacker overflows a buffer and redirects execution into the buffer, the CPU refuses to run code there because that memory is flagged as data. Hardware implementation: NX (AMD) / XD (Intel) bit on modern CPUs. Bypass technique: Return-Oriented Programming (ROP) β attacker chains small snippets of existing executable code (gadgets) rather than injecting new shellcode. DEP is a critical mitigation but not an absolute barrier against sophisticated attackers.
ASLR β Address Space Layout Randomization
Tap to reveal
An OS security feature that randomizes the base addresses of the stack, heap, and loaded libraries each time a program runs. Without ASLR, memory layout is predictable β an attacker can hardcode the target address for a buffer overflow exploit. With ASLR, the address that worked in the attacker's test environment is invalid during the next execution. Effect: forces attackers to leak addresses dynamically rather than hardcoding them. Bypass techniques: information disclosure vulnerabilities that leak memory addresses at runtime; brute force (practical only on 32-bit systems where the address space is small). Most effective when combined with DEP β DEP prevents code injection, ASLR prevents code reuse at known addresses.
Privilege Escalation β Vertical vs. Horizontal
Tap to reveal
Vertical escalation: gains a higher privilege level than legitimately assigned β a standard user exploits a vulnerability to obtain administrator or SYSTEM rights. CVE-2023-29336 is a vertical escalation: user account β SYSTEM. Detection clue: process spawning with higher privileges than its parent. Horizontal escalation: stays at the same privilege level but accesses a different account's resources β User A reads User B's files or account data by exploiting broken access controls. Also called IDOR (Insecure Direct Object Reference) when a URL parameter like
?id=1042 exposes another user's records. Detection clue: access logs showing Account A reading resources owned by Account B.CVE-2023-29336 β Key Facts
Tap to reveal
Win32k Elevation of Privilege Vulnerability β disclosed May 2023 (Patch Tuesday). Targeted the Win32k kernel driver (Windows graphics subsystem). Affected: Windows Server 2008/2008 R2/2012/2012 R2/2016 and Windows 10. A locally authenticated attacker with any user account could exploit the flaw to gain SYSTEM-level privileges β Windows' highest privilege. Was being actively exploited in the wild at disclosure. Classic attack chain: phishing β RAT (low-privilege shell) β CVE-2023-29336 exploit β SYSTEM β Mimikatz credential dump β lateral movement. The privilege escalation step is what converts a limited foothold into full system compromise. Defense: patch promptly; least privilege limits blast radius pre-escalation.
CSRF β Cross-Site Request Forgery
Tap to reveal
Also called XSRF, session riding, one-click attack, or "sea surf." Exploits the fact that browsers automatically include session cookies with every request to a domain, regardless of which page triggered the request. Attack flow: (1) victim logs into a trusted site; (2) attacker crafts a link or hidden form that causes the victim's browser to submit a request to the trusted site; (3) victim clicks the link or visits the attacker's page; (4) browser sends the request with the valid session cookie; (5) server sees a valid authenticated request and processes it β fund transfer, email change, password reset β without the victim's knowledge. The application trusted the browser's cookie; it had no way to tell whether the user intended the action.
Anti-CSRF Token β Why It Works
Tap to reveal
When the server delivers a form to the user, it embeds a unique, unpredictable cryptographic token as a hidden field. On submission, the server validates that the token matches the expected value for that session. A forged cross-site request cannot include a valid token because the browser's same-origin policy prevents an attacker's page from reading another origin's page content β the attacker cannot see the token the server embedded for the victim's session. Requests without a valid token are rejected. Why session cookies alone are insufficient: a cookie proves identity but not intent. The token proves the specific request originated from the page the server delivered β not from a forged cross-site link. Also called a synchronizer token.
Directory Traversal β Mechanism and Indicators
Tap to reveal
Also called path traversal or dot-dot-slash attack. Web applications that construct file paths from user-supplied parameters without validation allow attackers to insert
../ sequences that navigate upward in the directory tree, escaping the web root. Each ../ moves one level up. Example: GET /show.asp?file=../../windows/system.ini navigates two levels above the web root and serves a Windows system file. Evasion variant: URL-encoded form %2e%2e%2f bypasses simple string filters that block literal ../. Log indicators: ../ or %2e%2e%2f in parameter values; sequential requests with incrementing traversal depth; requests for etc/passwd, win.ini, system.ini, SAM via URL parameter. Defense: canonical path validation that verifies the resolved path begins with the expected web root before serving the file.