SkarpSkarp

Chapter 8 of 27

Vulnerability Types, Discovery Methods, and Exploitation Basics

Dig into how weaknesses arise in software, systems, and processes, and see how attackers chain them together while defenders work to find and fix them first.

27 min readen

Big Picture: From Weakness to Exploit

From Weakness to Attack

This module links what you learned about threat actors and attack surfaces to how real attacks happen through weaknesses in software, systems, and processes.

Key Terms to Separate

Vulnerability: a weakness. Threat: something that can cause harm. Exploit: technique or code using a weakness. Risk: potential impact if a threat exploits a vulnerability.

Scenario Snapshot

Unpatched OpenSSL is a vulnerability, a criminal group scanning is a threat, Heartbleed code is an exploit, and possible data theft is the resulting risk.

What You Will Be Able to Do

You will classify vulnerabilities, understand common software flaws, spot misconfigurations, compare scanners vs pen tests, and practice remediation prioritization.

Security+ Context

CompTIA Security+ validates baseline security skills. SY0-701 is its current exam code, and this module aligns with its vulnerability and assessment topics.

Types of Vulnerabilities: Software, Configuration, and Process

What Is a Vulnerability?

A vulnerability is any weakness that can be exploited to violate confidentiality, integrity, or availability. Classify it by what is weak and why it is weak.

Software Vulnerabilities

Software vulnerabilities are flaws in code or logic, such as buffer overflows, SQL injection, XSS, race conditions, and insecure use of third-party libraries.

Software Root Causes

They often come from unsafe functions, missing input validation, poor error handling, unsafe concurrency, and insecure libraries or dependencies.

Configuration Vulnerabilities

Configuration vulnerabilities arise when systems are set up unsafely: default passwords, open storage buckets, weak firewall rules, or exposed management ports.

Process Vulnerabilities

Process vulnerabilities live in people and procedures: no patch management, missing code review, poor backups, or no incident response plan.

Exam Tip: Spot the Type

If the issue is in code, think software; if it is how something is set up, think configuration; if it is how people work, think process.

Common Software Flaws: Buffer Overflows, Injection, Race Conditions

Three Classic Software Flaws

We will examine buffer overflows, injection attacks, and race conditions, all of which are core software vulnerabilities for Security+.

Buffer Overflow Basics

A buffer overflow occurs when a program writes more data into memory than allocated, potentially overwriting control data like return addresses.

Buffer Overflow Example

A C program with a 16-byte array for a username uses strcpy on 100 bytes of input. Extra bytes overflow into adjacent memory, enabling code execution.

Injection Attacks

Injection happens when untrusted data is interpreted as code or commands, like SQL injection, command injection, and LDAP injection.

SQL Injection Example

A query like SELECT * FROM users WHERE name = '" + userInput + "'; lets input such as ' OR '1'='1 change the query logic if not parameterized.

Race Conditions

Race conditions occur when the system’s behavior depends on timing of concurrent operations, like two withdrawals racing past a balance check.

Fixing These Flaws

Defenses include bounds checking, safe functions, parameterized queries, input validation, locking, atomic operations, and secure design.

Misconfigurations and Weak Defaults in Real Systems

Why Misconfigurations Matter

Misconfigurations are some of the most common vulnerabilities, especially in cloud and hybrid environments with many moving parts.

Identity and Access Misconfigurations

Examples include default passwords, overly broad permissions like Everyone full control, and missing MFA on privileged accounts.

Network and Service Misconfigurations

These include open RDP to the internet, unsecured databases on 0.0.0.0, and firewalls with overly permissive allow any any rules.

Data and Encryption Misconfigurations

Public storage buckets, unencrypted databases or backups, and TLS with weak ciphers or self-signed certs in production are all risky.

Logging and Monitoring Gaps

Logging turned off, logs stored only locally, or no alerts on failed logins and privilege changes create blind spots.

Exam Tip: Configuration vs Code

When you see default credentials or exposed management ports, classify it as a configuration vulnerability, fixed by hardening and least privilege.

Exposure vs Vulnerability vs Threat vs Risk

Untangling Core Terms

Security+ questions often mix exposure, vulnerability, threat, exploit, and risk. Each has a precise meaning you must keep separate.

Vulnerability and Threat

A vulnerability is a weakness like an unpatched server. A threat is something that can cause harm, such as a ransomware group or natural disaster.

Exploit and Risk

An exploit is a tool or technique that uses a vulnerability. Risk combines the likelihood of exploitation with the impact if it succeeds.

What Is Exposure?

Exposure is how reachable or visible vulnerable assets are to attackers, such as an internet-facing admin portal with weak controls.

House Analogy

Broken latch: vulnerability. Burglar: threat. Crowbar: exploit. Chance of break-in plus loss: risk. Valuables visible through windows: exposure.

Exam Clues

Words like unpatched suggest vulnerability; likelihood and impact suggest risk; internet-facing suggests exposure; exploit kit suggests exploit.

How Vulnerabilities Are Found: Scanning vs Penetration Testing

Two Main Discovery Methods

Defenders mainly use vulnerability scanning and penetration testing to find weaknesses before attackers can exploit them.

Vulnerability Scanning Basics

Scanning uses automated tools to compare systems against known vulnerabilities, missing patches, and misconfigurations.

Scanner Outputs and Use

Scanners produce lists of findings with severity and remediation advice, ideal for regular, large-scale, low-risk assessments.

Penetration Testing Basics

Pen tests are human-led and simulate real attackers, focusing on what can actually be compromised, not just listing issues.

Pen Test Types

Black-box has no internal info, gray-box has partial info, and white-box involves full information, possibly including source code.

Breadth vs Depth

Scanners provide breadth across many systems. Pen tests provide depth, exploring exploit chains and real business impact.

Safety and Authorization

Scanning is usually non-intrusive. Pen tests can be disruptive and always require clear scope, written authorization, and timing.

Thought Exercise: Choose Scanning or Pen Test

Apply what you learned by deciding whether vulnerability scanning or penetration testing is more appropriate. Think about goal, scope, frequency, and risk.

Scenario 1:

Your company just migrated a critical web app to a new cloud platform. Management wants to know if attackers can steal customer data through the new setup.

  • Which is better: vulnerability scan or penetration test?
  • Why?

Scenario 2:

You manage 800 workstations and 50 servers. Compliance requires you to identify missing patches and high-severity vulnerabilities every month.

  • Which approach fits best?
  • Why?

Scenario 3:

A partner asks for assurance that your external perimeter (firewalls, VPN gateways, public web apps) is reasonably secure. They are less interested in a long list of minor issues and more in whether an attacker can get in.

  • What would you recommend?

Pause and think through your answers before revealing the suggested reasoning below.

Suggested reasoning (compare with your thoughts):

  • Scenario 1: Penetration test. Goal is to see if data can be stolen, not just list vulnerabilities. New environment, high impact.
  • Scenario 2: Vulnerability scanning. Large environment, recurring requirement, focus on patching and known issues.
  • Scenario 3: External penetration test (possibly preceded by a scan). Partner cares about actual compromise of perimeter systems.

Interpreting Vulnerability Scan Results and Prioritizing Fixes

Why Scan Interpretation Matters

Security+ expects you to read vulnerability scan results and decide what to fix first based on severity and business impact.

Sample Findings

Critical RCE on an internet-facing VPN, high-severity internal file server patches, medium XSS in an internal app, and low SNMP defaults on printers.

Step 1: Check Exposure

Start by asking which systems are internet-facing or widely accessible. External VPN gateways usually carry higher urgency.

Step 2: Assess Impact and Likelihood

RCE on a VPN gateway could give full network access and often has public exploits, making it a top priority.

Step 3: Consider Compensating Controls

Segmentation, strict ACLs, or other controls can slightly lower urgency but do not remove the need to patch.

Resulting Remediation Order

Fix the VPN first, then internal privilege escalation, then internal XSS, and finally isolated printer SNMP misconfigs.

Exam Strategy

On questions, favor fixing external critical issues with high impact before internal low-impact ones, unless data sensitivity overrides.

Exploitation Basics: How Attackers Chain Vulnerabilities

Why Attack Chains Matter

Attackers usually chain multiple weaknesses to reach valuable assets. Understanding chains helps you defend at multiple points.

Step 1: Initial Access

A misconfigured web server exposes an admin interface with default credentials, a configuration vulnerability giving initial access.

Step 2: Privilege Escalation

The attacker uploads a malicious file exploiting a file upload validation bug, a software vulnerability enabling command execution.

Step 3: Lateral Movement

Shared SSH keys stored in a weakly protected folder reflect a process vulnerability, enabling movement to other servers.

Step 4: Data Exfiltration

With stolen keys, the attacker connects to a database and exports customer data, completing the attack chain.

Breaking the Chain

Strong passwords, patching, good key management, and segmentation can each break a link and stop the overall attack.

Zero Trust Connection

Zero trust is a security model that assumes no implicit trust and requires continuous verification, limiting access to only what is needed.

Disclosure, Patch Management, and Governance, Risk, and Compliance

Beyond Finding Vulnerabilities

Organizations must manage vulnerabilities over time through disclosure processes, patch management, and strong governance, risk, and compliance.

Disclosure Models

Responsible disclosure coordinates with vendors; full disclosure publishes details openly; zero-day refers to exploitation before a patch exists.

Patch Management Steps

Inventory assets, monitor for new vulnerabilities, evaluate risk, test patches, deploy them, then verify and report completion.

Security+ Exam Angle

If a scenario involves compromise of an unpatched system, answers like improve patch management or formal vulnerability management are often correct.

GRC Definition

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including these principles in security.

When You Cannot Patch

For legacy or sensitive systems, use compensating controls like segmentation and monitoring, and formally accept or treat the residual risk.

Quiz 1: Core Concepts Check

Test your understanding of key distinctions around vulnerabilities, threats, and discovery methods.

A security team runs an automated tool every week that logs into servers, checks OS versions and configurations, and reports missing patches with CVSS scores. What is this activity BEST described as?

  1. A. Black-box penetration testing
  2. B. Vulnerability scanning
  3. C. Threat hunting
  4. D. Red team engagement
Show Answer

Answer: B) B. Vulnerability scanning

This is vulnerability scanning: an automated, regular process that logs into systems (authenticated scan), checks versions and configurations, and reports known vulnerabilities with severity scores. Pen tests and red team engagements are human-led and less frequent; threat hunting focuses on finding active adversaries, not missing patches.

Quiz 2: Classifying Vulnerabilities and Risks

Apply the terminology to a realistic scenario.

A cloud storage bucket containing customer invoices is accidentally left publicly readable on the internet. No evidence of access is found yet. Which option BEST describes the situation?

  1. A. It is a threat because attackers might find it.
  2. B. It is an exploit because data can be downloaded.
  3. C. It is a configuration vulnerability that increases exposure and risk.
  4. D. It is not a problem until there is proof of data theft.
Show Answer

Answer: C) C. It is a configuration vulnerability that increases exposure and risk.

A publicly readable storage bucket with sensitive data is a configuration vulnerability (misconfiguration). It significantly increases exposure and therefore risk, even if you have not yet seen evidence of exploitation. The threat would be the potential attackers; the exploit would be a method used if they actually accessed it.

Key Term Flashcards: Vulnerabilities and Discovery

Flip through these cards to reinforce core terminology and distinctions important for the Security+ exam.

Vulnerability
A weakness that could be exploited to violate confidentiality, integrity, or availability, such as an unpatched service, insecure code, or misconfiguration.
Threat
A potential cause of an unwanted incident, such as a threat actor, malware campaign, insider, or natural disaster.
Exploit
A specific tool, script, or technique that takes advantage of a particular vulnerability to achieve an effect, like remote code execution.
Risk
The combination of the likelihood that a threat exploits a vulnerability and the impact if it occurs, often used to prioritize remediation.
Exposure
The degree to which vulnerable assets are reachable or visible to potential attackers, such as internet-facing services.
Vulnerability scanning
An automated process that checks systems for known vulnerabilities, misconfigurations, and missing patches, typically producing severity-ranked findings.
Penetration testing
A human-led security assessment that simulates real attacks to determine what an adversary can actually achieve, focusing on exploit chains and business impact.
Buffer overflow
A software vulnerability where a program writes more data to a buffer than it can hold, potentially overwriting adjacent memory and enabling code execution.
Injection attack
A class of attacks where untrusted input is interpreted as code or commands, such as SQL injection or command injection.
Race condition
A flaw where system behavior depends on the timing of concurrent operations, allowing attackers to exploit inconsistent checks and actions.

Key Terms

risk
The combination of the likelihood that a threat exploits a vulnerability and the impact if it occurs, often used to prioritize remediation.
threat
A potential cause of an unwanted incident, such as a threat actor, malware campaign, insider, or natural disaster.
exploit
A specific tool, script, or technique that takes advantage of a particular vulnerability to achieve an effect, like remote code execution.
exposure
The degree to which vulnerable assets are reachable or visible to potential attackers, such as internet-facing services.
zero-day
A vulnerability that is exploited before a patch or fix is available from the vendor.
injection
A class of attacks where untrusted input is interpreted as code or commands, such as SQL injection or command injection.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
vulnerability
A weakness that could be exploited to violate confidentiality, integrity, or availability, such as an unpatched service, insecure code, or misconfiguration.
race condition
A flaw where system behavior depends on the timing of concurrent operations, allowing attackers to exploit inconsistent checks and actions.
buffer overflow
A software vulnerability where a program writes more data to a buffer than it can hold, potentially overwriting adjacent memory and enabling code execution.
misconfiguration
An insecure configuration of systems or services, such as default passwords, open storage buckets, or overly permissive firewall rules.
patch management
The process of identifying, evaluating, testing, deploying, and verifying software updates to remediate vulnerabilities.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
penetration testing
A human-led security assessment that simulates real attacks to determine what an adversary can actually achieve, focusing on exploit chains and business impact.
vulnerability scanning
An automated process that checks systems for known vulnerabilities, misconfigurations, and missing patches, typically producing severity-ranked findings.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself