3.3.1. Application and Web Vulnerabilities

💡 First Principle: Most application vulnerabilities stem from one root cause: the application trusts user input that it shouldn't. When an application fails to validate, sanitize, or properly handle external input, attackers can inject malicious data that changes the application's behavior.

SQL injection (SQLi) — inserting SQL commands into input fields to manipulate the database. A login form vulnerable to SQLi might accept ' OR 1=1 -- as a username, bypassing authentication entirely because the injected SQL always evaluates as true.

Loading diagram...

Cross-site scripting (XSS) — injecting malicious scripts into web pages viewed by other users. Stored XSS persists in the database; reflected XSS arrives via crafted URLs. Both execute in the victim's browser, potentially stealing session cookies or credentials.

Buffer overflow — writing more data to a memory buffer than it can hold, overwriting adjacent memory. This can crash applications or allow arbitrary code execution. Buffer overflows are among the oldest and most dangerous vulnerability classes.

Race conditions — occur when a system's behavior depends on the timing of events. An attacker might exploit the gap between a security check and the action it authorizes (time-of-check/time-of-use, or TOCTOU). Example: checking if a user has sufficient funds, then deducting the funds — if the user can trigger two transactions simultaneously, they might overdraw.

Improper error handling — error messages that reveal internal details (database structure, file paths, stack traces) give attackers reconnaissance information. A detailed error message is a roadmap for exploitation.

⚠️ Exam Trap: SQL injection and XSS are the most frequently tested web vulnerabilities. SQLi targets the database (server-side). XSS targets other users' browsers (client-side). This distinction determines the correct answer when both are offered as choices.