Chapter 80 · Tricks

Application Security — Exam Tricks

High-yield distinctions, common traps, and pattern recognition for application security questions on the Security+ exam.

Trick 1 Normalize First, Then Validate. Validating Before Decoding Lets Encoded Attacks Through.

The exam tests the relationship between input validation and normalization, and which comes first. The answer is normalization before validation. Attackers can encode malicious input in alternate formats to bypass a validator: the string <script> might be submitted as %3Cscript%3E (URL encoding). If the validator checks for literal characters before decoding, it sees percent-encoded characters and passes the input. After the validator, the application decodes and processes the string — and now has script tags in it.

Normalization (decode, standardize, canonicalize) must happen first so the validator sees the actual content in its canonical form. Only then can validation reliably identify whether the content is acceptable. Fuzzers specifically probe for encoding bypass gaps that manual review misses.

Pattern Recognition
"What is the purpose of normalization in input handling?"
→ Standardize/decode input to canonical form before validation — prevents encoded bypass attacks
"Attacker bypasses input validation by encoding malicious characters" — what was missing?
→ Normalization step before validation — the validator saw encoded form, not decoded content
"What does a fuzzer do that manual testing does not?"
→ Exhaustively tests unexpected/malformed inputs including encoding variations, boundary values, null bytes — finds edge cases human testers miss
"Input validation prevents which attacks?"
→ SQL injection, XSS, buffer overflow, command injection — all rely on malicious input treated as trusted data
Memory anchor: Normalize → Validate → Process. Validate before normalizing and encoded attacks sneak through. Normalize first and the validator sees the real content.
Trick 2 SAST Finds What Is IN the Code. It Cannot Find What Is WRONG With the Logic.

The most common SAST exam trap is overstating its capabilities. SAST matches code patterns against known-vulnerable patterns. It does not understand what the code is supposed to do or evaluate whether the logic is correct. This creates two important gaps.

First, cryptographic implementation errors are invisible to SAST. SAST can see that AES is called — it cannot evaluate whether the key size is appropriate, whether the IV is being reused across sessions, or whether the padding mode is secure. The code looks like valid AES usage; SAST has no way to know it is wrong. Second, false positives require human review. SAST flags code that resembles a vulnerable pattern. Some of those flags are correct; many are safe code that looks like a problem. SAST output is a starting point for human review, not a finished vulnerability report.

Pattern Recognition
"SAST scans code — which vulnerability would it MISS?"
→ Cryptographic implementation errors, authentication design flaws, business logic vulnerabilities — anything requiring logic/intent evaluation rather than code pattern matching
"SAST produces output — what must the developer do with it?"
→ Manually review each finding for false positives — SAST output requires human verification before acting on it
"Which vulnerabilities does SAST find WELL?"
→ Buffer overflows (unsafe functions like gets), SQL injection (string concatenation in queries), hardcoded credentials, deprecated crypto algorithm calls
"SAST vs. fuzzing — key difference?"
→ SAST = static analysis of source code (no execution). Fuzzing = dynamic testing with malformed runtime input (app runs). Both find vulnerabilities; different mechanisms and different blind spots.
Memory anchor: SAST sees code patterns. It cannot evaluate correctness, intent, or logic. Buffer overflows: visible. Crypto implementation errors: invisible. False positives: inevitable.
Trick 3 Code Signing Key Trap: CA Signs Developer's PUBLIC Key. Developer Signs Code With PRIVATE Key.

Code signing questions frequently test which key is used at which step. The trap is reversing the CA and developer actions, or confusing public and private key roles.

Memory device: the CA vouches for the developer's identity — it signs the developer's public key to create the certificate. The developer signs the code to prove it came from them — they use their private key (only they have it). The OS verifies by decrypting the signature with the developer's public key and comparing to a fresh hash of the file. CA signs public. Developer signs with private. OS verifies with public.

Pattern Recognition
"What does the CA sign in code signing?"
→ The developer's PUBLIC key — creating the code-signing certificate that vouches for developer identity
"What key does the developer use to sign the code?"
→ Their PRIVATE key — only the developer has it; anyone can verify with the developer's public key
"How does the OS verify a code signature?"
→ Uses developer's PUBLIC key to decrypt signature; independently hashes the file; compares — match means untampered code from the certified developer
"Internal enterprise apps without a public CA — code signing still possible?"
→ Yes — internal CA signs the developer's cert; internal CA root cert distributed to all org devices so they trust internal developer signatures
Memory anchor: CA signs developer's PUBLIC key. Developer signs code with PRIVATE key. OS verifies with developer's PUBLIC key. CA → public. Developer → private. OS → public.
Trick 4 Sandboxing Limits Scope After Compromise. It Does Not Prevent the Compromise.

The exam may present a scenario where an application is exploited and ask which control limited the damage. The answer is sandboxing if the attacker achieved code execution but could not reach outside the application's permitted scope. The key distinction: sandboxing is not a preventive control for the initial compromise — it is a containment control for what happens after.

Input validation prevents the initial exploit. Code signing prevents installing tampered software. SAST finds vulnerabilities during development. But if all those controls fail and an attacker achieves code execution, sandboxing is what limits the blast radius: the attacker can only do what the compromised application was allowed to do.

Pattern Recognition
"App was exploited but attacker could not access other apps' data or system files" — which control?
→ Sandboxing — the OS sandbox limited the attacker to the compromised app's permission boundary
"Which sandboxing environment is built into Windows for privilege control?"
→ User Account Control (UAC) — apps run at standard user privilege; admin actions require explicit elevation
"Dev team tests code without affecting production" — which sandboxing context?
→ Development sandbox — isolated development/testing environment separated from production systems
"Browser tab compromised; attacker cannot read other tabs' data" — which control?
→ Browser sandboxing — each tab/iframe runs in a restricted context; cross-origin data access blocked by same-origin policy and browser sandbox
Memory anchor: Sandboxing = blast radius control, not prevention. Input validation prevents the attack. Sandboxing contains the damage if prevention fails. "Attacker got in but could not reach X" = sandboxing at work.
Practice Scenarios — Apply the Tricks
Scenario A: A developer reviews SAST output for a financial application. Finding #4 flags a custom date-parsing function as potentially allowing buffer overflow. The developer reviews the code and confirms the function correctly bounds-checks all input — it handles the flagged case safely. Finding #19 flags a call to MD5. The developer notes this MD5 call computes a checksum for a configuration file integrity check, not for password storage. Finding #28 flags that user passwords are hashed with MD5 and no salt before storage in the database. How should the developer handle each finding, and what does this illustrate about SAST?
Scenario B: An organization distributes an internal HR application to all employees. They want to ensure that only the IT-approved version of the application runs and that employees can verify the software has not been tampered with. They do not want to pay for a public CA certificate. How can they implement code signing for this internal application?
Scenario C: A security team is evaluating the risk from a newly discovered zero-day exploit in a widely used PDF rendering library embedded in several enterprise applications. The exploit allows code execution within the PDF renderer process. Before patching is available, what existing application security control most limits the damage from this exploit, and what residual risk remains?