Common Attacks

SQL Injection (SQLi)

An attack where malicious code is inserted into input fields (like a login box) to manipulate the backend database. It tricks the database into revealing hidden data or logging the attacker in without a password.

Cross-Site Scripting (XSS)

A vulnerability that allows an attacker to inject malicious client-side scripts (usually JavaScript) into web pages viewed by other users. When the victim loads the page, the script runs in their browser, often stealing their session cookies.

Cross-Site Request Forgery (CSRF / XSRF)

An attack that forces an end user to execute unwanted actions on a web application where they are currently authenticated. It tricks the browser into sending a request the user didn't intend to make.

Buffer Overflow

An anomaly where a program, while writing data to a specific block of memory, overruns the buffer's boundary and overwrites adjacent memory locations. This can crash the system or allow the execution of arbitrary code.

Directory Traversal

An exploit that allows an attacker to access files and directories that are stored outside the web root folder by manipulating variables that reference files with "dot-dot-slash" sequences.

On-Path Attack (formerly Man-in-the-Middle)

An attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

ARP Poisoning

A technique where an attacker sends falsified Address Resolution Protocol messages over a local area network. This links the attacker's MAC address with the IP address of a legitimate computer (like the gateway), causing traffic to be redirected to the attacker.

Replay Attack

A form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. The attacker captures a valid session token or authentication handshake and resends it later to fool the server.

Evil Twin

A fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. It uses the same SSID (network name) as a trusted network.

Bluejacking

A wireless attack involving the transmission of unwanted messages, business cards, or images to a nearby device via short-range radio waves. It is generally considered a nuisance or a prank rather than a serious security threat because no data is taken from the victim.

Bluesnarfing

A wireless attack that involves the unauthorized theft of information from a device via short-range radio waves. Unlike its counterpart, this allows the attacker to access and copy internal data such as contact lists, emails, text messages, and photos without the user's knowledge.

Password Spraying

A variation of a brute force attack where an attacker tries a few common passwords (like "Password123" or "Summer2025") against many different user accounts, rather than trying many passwords against one account. This avoids account lockouts.

Zero-Day

A software security flaw that is known to the vendor but doesn't have a patch in place to fix it. Attackers exploit it before the developers have a chance to release a fix.

Dictionary Attack

An attempted illegal entry that uses a text file containing thousands of common words, phrases, and likely combinations to guess the authentication string. It relies on the fact that humans tend to choose words found in language rather than random characters.

Brute Force Attack

A comprehensive trial-and-error method that attempts to decode encrypted data or guess a password by systematically trying every possible combination of characters (e.g., aaaaa, aaaab, aaaac) until the correct one is found.

Rainbow Table Attack

A cryptographic attack that uses a massive, pre-computed database of hash chains. Instead of guessing a password and hashing it to see if it matches, the attacker simply takes the stolen hash and looks it up in this table to instantly find the corresponding plaintext password. (Attacker has already stolen a database of hashed passwords.)

Credential Stuffing

An automated injection of breached username/password pairs into the login pages of multiple other unrelated websites. This attack relies entirely on the bad habit of users reusing the same password across different services.

Hybrid Attack

A password cracking method that combines the speed of a dictionary list with the thoroughness of brute force. It takes words from a list and applies common variations (like adding numbers or symbols to the end) to guess the password.

Pass the Hash

A hacking technique where the attacker captures the hashed user credential and uses it directly to authenticate to a remote server or service, bypassing the need to ever crack or know the actual plaintext password.

Supply-Chain Attack

A cyberattack that seeks to damage an organization by targeting less secure elements in its procurement network. Instead of hacking the company directly (which might be hard), the attacker compromises a trusted third-party vendor, software provider, or hardware manufacturer to infiltrate the primary target.