WOLF//SEC
← Domain 2
OBJECTIVE 2.3 Explain

Explain various types of vulnerabilities

A vulnerability is a weakness that can be exploited by a threat actor. This objective covers the categories of vulnerabilities you’ll encounter across applications, systems, hardware, and humans.

Application Vulnerabilities

Memory Injection

Injecting malicious code into a running process’s memory space.

  • DLL injection: Forcing a process to load an attacker-controlled library
  • Process hollowing: Starting a legitimate process, replacing its code in memory with malware
  • Used for privilege escalation and defense evasion

Buffer Overflow

Writing data beyond the boundaries of allocated memory, corrupting adjacent data.

  • Stack overflow: Overwriting the return address on the stack to redirect execution
  • Heap overflow: Corrupting dynamically allocated memory structures
  • Integer overflow: Arithmetic that wraps around, producing an unexpectedly small buffer
  • Prevention: Input validation, bounds checking, ASLR, DEP/NX, stack canaries

Race Conditions

When the outcome depends on the timing of events, and an attacker can manipulate that timing.

  • TOCTOU (Time of Check, Time of Use): Exploit the gap between a security check and the action it authorizes
  • Example: File permission check passes, attacker swaps the file before it’s read
  • Prevention: Atomic operations, proper locking mechanisms

Injection Attacks

Untrusted input interpreted as code or commands.

  • SQL injection: Manipulating database queries through user input
  • Command injection: Executing OS commands through application inputs
  • LDAP injection: Manipulating directory service queries
  • XML injection / XXE: Exploiting XML parsers to read files, perform SSRF
  • Prevention: Parameterized queries, input validation, output encoding. Never trust user input.

XSS (Cross-Site Scripting)

Injecting client-side scripts into web pages viewed by other users.

  • Reflected: Malicious script in URL parameter, reflected back in the response
  • Stored: Script saved to the server (database, comment field), executed for all visitors
  • DOM-based: Script manipulates the page’s DOM without server involvement
  • Prevention: Output encoding, Content Security Policy (CSP), input sanitization

Privilege Escalation

Gaining higher permissions than authorized.

  • Vertical: Normal user → admin
  • Horizontal: User A accesses User B’s resources
  • Exploited through misconfigurations, vulnerable services, kernel exploits

Operating System Vulnerabilities

Unpatched Systems

Known vulnerabilities with available fixes that haven’t been applied.

  • Most breaches exploit known CVEs, not zero-days
  • Patch management process failures = vulnerability accumulation

Misconfigurations

  • Default settings left unchanged (default passwords, unnecessary services enabled)
  • Overly permissive file/directory permissions
  • Debug mode or verbose error messages exposed in production
  • Open network shares with sensitive data

End-of-Life (EOL) Software

Operating systems and applications no longer receiving security updates.

  • Windows Server 2012, Windows 7, older Linux kernels
  • Any vulnerability discovered after EOL will never be patched
  • Compensating controls required: Network isolation, enhanced monitoring, application whitelisting

Hardware Vulnerabilities

Firmware

Software embedded in hardware that operates below the OS layer.

  • Firmware vulnerabilities persist across OS reinstalls
  • BIOS/UEFI attacks can survive disk wipes
  • Supply chain firmware implants are difficult to detect

Side-Channel Attacks

Extracting information from the physical implementation of a system.

  • Timing attacks: Measuring operation timing to infer secret values
  • Power analysis: Monitoring power consumption patterns during cryptographic operations
  • Spectre/Meltdown: CPU speculative execution leaking data across security boundaries
  • Electromagnetic emanations: Capturing signals from hardware components

Hardware Root of Trust

  • TPM (Trusted Platform Module) provides a hardware-based security anchor
  • Secure boot chain: each component verifies the next before loading
  • If hardware root of trust is compromised, nothing above it can be trusted

Virtualization Vulnerabilities

VM Escape

Breaking out of a virtual machine to access the hypervisor or other VMs on the same host.

  • Critical because it breaks the isolation that virtualization promises
  • Rare but devastating — access to the hypervisor means access to everything

Resource Reuse

  • Memory not properly cleared between VM allocations
  • Potential for data leakage between tenants in cloud environments

VM Sprawl

  • Unmanaged proliferation of virtual machines
  • Forgotten VMs running outdated, unpatched software = shadow attack surface

Cloud-Specific Vulnerabilities

Misconfigured Cloud Storage

  • S3 buckets, Azure Blobs, GCS buckets exposed to public access
  • One of the most common sources of data breaches in cloud environments
  • Exam tip: Cloud misconfiguration questions are almost guaranteed

Insecure APIs

  • Cloud services managed via API — misconfigurations in API permissions have outsized impact
  • Overly permissive IAM roles, exposed API keys, lack of rate limiting

Shared Responsibility Model

  • Cloud provider secures the infrastructure; customer secures their configuration, data, and access
  • Misunderstanding this boundary is itself a vulnerability

Cryptographic Vulnerabilities

Weak/Deprecated Algorithms

  • MD5, SHA-1, DES, RC4 — known broken, should not be used
  • Exam focus: Know which algorithms are deprecated and why

Improper Implementation

  • Using ECB mode (patterns preserved in ciphertext)
  • Hardcoded encryption keys in source code
  • Insufficient key length (RSA < 2048, AES < 128)

Certificate Issues

  • Expired certificates breaking trust chain
  • Self-signed certificates in production
  • Wildcard certificate compromise = all subdomains compromised

Zero-Day Vulnerabilities

  • Vulnerability unknown to the vendor with no available patch
  • Highest value to attackers (nation-states stockpile zero-days)
  • Defense: assume-breach posture, behavior-based detection, network segmentation
  • Once disclosed and patched, it becomes a known vulnerability (but many orgs still don’t patch promptly)

Human Vulnerabilities

Social Engineering Susceptibility

  • Lack of security awareness training
  • Authority bias (blindly following requests from “executives”)
  • Urgency manipulation (“your account will be locked in 30 minutes”)

Misconfiguration by Operators

  • Human error in system configuration
  • Copy/paste mistakes in firewall rules, IAM policies
  • “Temporary” exceptions that become permanent

Offensive Context

Vulnerability assessment from the offensive side is about prioritization, not just enumeration. An attacker doesn’t care about your CVSS 10.0 vulnerability on an air-gapped system — they care about the CVSS 7.0 vulnerability on your internet-facing VPN concentrator. Thinking about vulnerability exploitation chains (combine a medium-severity SQLi with a medium-severity privilege escalation for a critical-impact breach) is what separates checkbox scanning from real security assessment.