2.3 Vulnerability Types

Application Vulnerability

A flaw or weakness in an application's code or logic that an attacker can exploit.

Memory Injection

An attack that injects and executes malicious code in a running application's memory. (e.g., DLL injection).

Buffer Overflow

🌊 Sending too much data to an application's memory buffer, causing it to "spill over" and overwrite adjacent memory. (Can lead to system crash or arbitrary code execution).

Race Conditions

⏱ An attack that exploits the tiny gap in time between when a system checks a resource (like a file) and when it uses it.

TOC/TOU

The specific name for a race condition: Time-of-Check (TOC) to Time-of-Use (TOU). The attacker alters the resource between the check and the use.

Malicious Update

An attack that pushes a harmful payload disguised as a legitimate software update. (Often part of a Supply Chain attack).

SQL Injection

💉 A web attack that injects malicious SQL commands into an input field (like a search bar) to manipulate a backend database. (e.g., OR '1'='1').

Cross Site Scripting (XSS)

💻 A web attack that injects malicious client-side scripts (like JavaScript) into a trusted website, which then runs in the victim's browser. (Keywords: Steals cookies, session hijacking).

Operating System Vulnerability

A vulnerability in the core kernel or components of an OS. (e.g., Unpatched services, kernel flaws, improper permissions).

Hardware Vulnerability

A flaw in a physical component like a CPU, chipset, or device. (e.g., Spectre, Meltdown).

Firmware Vulnerability

A flaw in the permanent software (like BIOS/UEFI) that runs on a hardware device. (Difficult to patch, provides high-level access).

End of Life (EOL)

⏳ A vulnerability where the vendor no longer supports or patches the product. (A massive, unfixable risk).

Legacy Vulnerability

A system so old it's difficult to secure, even if technically still supported. (Often can't run modern security tools).

VM Escape

🏃 An attack that breaks out of a guest VM and gains access to the host hypervisor or other VMs. (A critical virtualization flaw).

Resource Reuse

A flaw where a VM's memory/disk space is not properly zeroed out before being reassigned to a new VM. (Leads to data leakage between tenants).

Cloud Vulnerabilities

Flaws unique to cloud environments. (Keywords: Misconfigured storage buckets (e.g., S3), insecure APIs, weak identity management).

Supply Chain Vulnerability

🤝 A vulnerability in a trusted third-party (vendor, software supplier, MSP) that is exploited to attack the end customer.

Cryptographic Vulnerability

A weakness in an encryption algorithm, key, or implementation. (e.g., Using a deprecated algorithm like SHA-1, or a weak key).

Misconfiguration

🔑 The most common vulnerability. A system is not set up securely. (Keywords: Default credentials, open ports, wrong permissions).

Mobile Device Vulnerability

Flaws specific to mobile devices. (e.g., SMS phishing, malicious apps, unpatched OS, unsecured public Wi-Fi).

Sideloading

📲 Installing an app from an unofficial source (not the Apple App Store or Google Play Store). (High risk of malware).

Jailbreaking

🔓 Bypassing all built-in security controls on a mobile device to gain root (administrator) access. (Makes the device highly vulnerable).

Zero Day

💥 A vulnerability that is unknown to the vendor and has no patch available. (The attack is happening "on day zero" of its discovery).