Injection Attack
A class of application attacks where an attacker inserts malicious data into an application's input stream that is then passed unsanitized to a backend interpreter (database engine, HTML renderer, LDAP directory, XML parser). The interpreter executes the injected commands as legitimate instructions. The root cause is always inadequate input validation. Injection types include SQL injection (most common), HTML injection, XML injection, and LDAP injection. Defense: input validation, parameterized queries, output encoding.
SQL Injection (SQLi)
The most common injection attack variant. An attacker inserts malicious SQL commands into application input fields β login forms, search boxes, URL parameters β that are incorporated into database queries without sanitization. The injected commands are executed by the database, allowing the attacker to bypass authentication, read unauthorized data, modify records, delete tables, or in some configurations execute OS commands. Completely prevented by parameterized queries (prepared statements) which treat user input as data, never as executable SQL.
Buffer Overflow
A memory safety vulnerability where a program writes more data to a fixed-size memory buffer than it can hold. Excess data overwrites adjacent memory regions β potentially including return addresses, function pointers, or other variables. An attacker who crafts a buffer overflow precisely enough can overwrite a return address with a pointer to attacker-controlled shellcode, achieving arbitrary code execution. Difficult to exploit reliably (many attempts simply crash the application) but extremely powerful when a stable, repeatable exploit is found. Defense: bounds checking in code; DEP and ASLR at the OS level.
Bounds Checking
The programming practice of verifying that any write to a memory buffer does not exceed the buffer's allocated size before performing the write. The developer-level defense against buffer overflows. Languages with automatic memory management (Java, Python, Go, Rust) perform bounds checking automatically. C and C++ do not β developers must explicitly validate input sizes before writing to buffers. Functions like
strcpy() and gets() in C are notorious for lacking bounds checking and are replaced by safer alternatives in modern code.Data Execution Prevention (DEP)
An OS and CPU-level security feature that marks memory regions as either executable (allowed to contain code the CPU runs) or non-executable (data only). Code in non-executable memory is rejected by the CPU. DEP directly addresses the shellcode-in-buffer phase of buffer overflow exploitation: even if an attacker overwrites a return address to point at injected shellcode in a data buffer, the CPU refuses to execute it because that memory is marked non-executable. Available as a hardware feature (NX/XD bit) on modern processors and implemented in Windows, Linux, and macOS.
Address Space Layout Randomization (ASLR)
An OS security feature that randomizes the memory addresses where the stack, heap, and loaded libraries are placed each time a program runs. Without ASLR, an attacker can hardcode the target address for a buffer overflow exploit because memory layout is predictable. With ASLR, the layout changes every execution β an address that worked in the attacker's test environment will not be valid on the next execution. Forces attackers to leak addresses dynamically or rely on brute force. Effective when combined with DEP; less effective alone because some exploitation techniques can bypass address randomization.
Privilege Escalation
An attack where an authenticated user (or process) obtains access permissions beyond what they were legitimately granted by exploiting a vulnerability, bug, or design flaw. Vertical escalation: moves up privilege levels β user to administrator, or user to SYSTEM (highest Windows privilege). Horizontal escalation: moves laterally at the same privilege level β User A accesses User B's data without elevated permissions. A critical phase in multi-stage attacks: initial access rarely provides the access level needed for the attacker's objectives; escalation bridges that gap.
CVE-2023-29336
Win32k Elevation of Privilege Vulnerability, disclosed May 2023. Affected the Win32k kernel driver in Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and Windows 10. A locally authenticated attacker exploiting this vulnerability gained SYSTEM-level privileges β the highest privilege level in Windows. Was being actively exploited in the wild at the time of disclosure. Patched in Microsoft's May 2023 Patch Tuesday. Representative of the privilege escalation vulnerability class: locally exploitable, requires an existing low-privilege foothold, elevates to full system control.
Cross-Site Request Forgery (CSRF)
A web application attack also called XSRF, session riding, or one-click attack. Exploits the trust a web application has in an authenticated user's browser: if a user is logged in, the application accepts requests arriving with their session cookie as legitimate, regardless of which page triggered the request. An attacker constructs a link or page that causes the victim's browser to send a request to the trusted application (fund transfer, password change, post) without the victim's awareness. The victim's browser automatically includes the session cookie; the server processes the request as authentic. Prevented by anti-CSRF tokens and the SameSite cookie attribute.
Anti-CSRF Token
A unique, unpredictable cryptographic value generated by the server for each user session (or each form submission) and embedded in every HTML form as a hidden field. When a form is submitted, the server validates that the correct token is present. An attacker constructing a forged cross-site request cannot include a valid token because they cannot read the victim's session page (same-origin policy). Requests without a valid token are rejected. The primary and most effective defense against CSRF attacks. Also called a synchronizer token.
Directory Traversal
Also called path traversal or dot-dot-slash attack. A web vulnerability allowing an attacker to access files outside the web server's intended root directory by including
../ sequences in file path parameters. Each ../ moves one directory level up in the filesystem. Attackers use repeated traversal sequences to navigate from the web root to sensitive system files (configuration files, password files, application source code). Caused by web server misconfiguration, web server software vulnerabilities, or application code that constructs paths from unsanitized user input. Indicator: ../ sequences in web server access logs.Parameterized Query
A database query technique where the query structure is defined with placeholder parameters, and user-supplied values are bound to those parameters separately by the database driver. The database engine always treats bound parameter values as literal data β never as SQL syntax. Even if an attacker supplies SQL commands as input, the database interprets them as a string value to search for, not as commands to execute. The complete prevention for SQL injection at the application code level. Also called a prepared statement. Should be used for every database interaction involving user-supplied data.