Domain 2 · 2.4 Indicators of Malicious Activity

2.4.4 Application Attacks

Injection, overflow, replay, privilege escalation.

10 min

Application attacks exploit flaws in software code, logic, or session handling to bypass controls or reach data without authorization.

Injection Attacks Injection sends untrusted input to an interpreter as part of a command or query, tricking the app into running unintended instructions. - SQL injection (SQLi): malicious SQL in entry fields can bypass authentication, read private data, or drop tables. Triggers: "' OR 1=1 --", "UNION SELECT". - Command injection: running OS commands through an app that passes unsanitized input to a system shell. - Cross-site scripting (XSS): injecting scripts that run in another user's browser, often to steal session cookies.

Memory and Overflow Attacks These abuse how an application manages memory to crash it or run code. - Buffer overflow: writing more data than a buffer can hold overwrites adjacent memory, causing crashes or letting attacker code run with the program's privileges. - Integer overflow: an arithmetic result too large for its type wraps to a tiny or negative value, producing logic errors.

Replay and Session Attacks These target the client-server exchange to impersonate legitimate users. - Replay attack: capturing a valid transmission (such as an authentication token) and resending it later. Defeated by timestamps, sequence numbers, and nonces. - Session hijacking: stealing a valid session ID or cookie to take over an active session without a password.

Privilege Escalation After gaining a foothold, attackers try to increase their access. - Vertical escalation: a standard user gains administrator or root permissions. - Horizontal escalation: a user reaches another user's resources at the same privilege level (User A reads User B's files).

Quick recall - Input validation → primary defense against injection and overflow attacks. - Reflected vs stored XSS → reflected arrives via a link; stored is saved on the server. - Replay defense → timestamps, sequence numbers, and nonces. - Least privilege → limits the damage of privilege escalation. - Buffer overflow → writing past a buffer to run code in a privileged context.