Threats & Attacks | AXSS DENIED

Why Study Attacks?

You can't defend what you don't understand. Security professionals study attacks not to become criminals — but to think like an adversary and build better defenses. Every defense strategy is a response to a known attack technique.

Ethics reminder: Never use attack techniques against systems you don't own or have explicit written permission to test. Knowledge is for defense.

Key Terms

Threat: Any potential danger that could exploit a vulnerability and cause harm to a system or data.

Vulnerability: A weakness in a system that can be exploited by a threat — software bugs, misconfigurations, weak passwords.

Exploit: Code or technique that takes advantage of a specific vulnerability to gain access or cause damage.

Mitigation: Actions taken to reduce the risk or impact of a threat — patching, encryption, access controls.

Attack Vector: The path or method used to deliver an attack — email, USB, web form, network protocol.

Attack Surface: The total number of points where an attacker could try to enter — open ports, APIs, user inputs.

The Cyber Kill Chain

Lockheed Martin's 7-stage model describes how attacks unfold. Breaking any link in the chain stops the attack. Click each stage:

Reconnaissance

Gathering info about the target. OSINT, Google dorking, LinkedIn harvesting, Shodan, DNS enumeration. Defense: Minimize public footprint, monitor for data leaks.

Weaponization

Creating the attack package — pairing an exploit with a payload. Crafting a malicious PDF, building a phishing page, writing exploit code. Defense: Threat intelligence, sandbox analysis.

Delivery

Sending the weapon to the target — phishing email, malicious USB, watering hole website, compromised software update. Defense: Email filtering, web proxies, user training.

Exploitation

Triggering the vulnerability — user clicks the link, macro executes, buffer overflow fires, SQL injection executes. Defense: Patching, ASLR/DEP, input validation, sandboxing.

Installation

Establishing persistence — installing backdoor, rootkit, creating new admin account, scheduled tasks, registry keys. Defense: EDR, application whitelisting, integrity monitoring.

Command & Control (C2)

Malware phones home to attacker's server for instructions. Protocols: HTTPS, DNS tunneling, social media dead drops. Defense: Network monitoring, DNS filtering, egress filtering.

Actions on Objectives

The attacker's goal — data exfiltration, ransomware deployment, lateral movement, destruction, espionage. Defense: DLP, network segmentation, encryption at rest, backups.

Attack Taxonomy

Social Engineering

• Phishing — deceptive emails/messages
• Spear phishing — targeted at individuals
• Whaling — targeting executives
• Vishing — voice phishing calls
• Pretexting — fabricated scenario
• Tailgating — physical access bypass

Application Attacks

• SQL Injection — manipulate database queries
• XSS — inject malicious JavaScript
• CSRF — forge authenticated requests
• Buffer Overflow — overwrite memory
• Directory Traversal — access files outside root
• LDAP/XML Injection — inject into parsers

Network Attacks

• Man-in-the-Middle — intercept traffic
• ARP Spoofing — fake ARP replies
• DNS Poisoning — corrupt DNS cache
• DDoS — flood with traffic
• SYN Flood — exhaust TCP connections
• Replay Attack — reuse captured data

Malware

• Ransomware — encrypt files for payment
• Trojan — disguised as legitimate software
• Worm — self-propagating malware
• Rootkit — hides deep in OS
• Spyware/Keylogger — steals information
• RAT — remote access trojan

Security+ Exam Focus (Domain 2.0 — 22%)

Know ALL social engineering techniques — phishing, vishing, smishing, pretexting, baiting, tailgating, watering hole
Understand injection attacks: SQLi, XSS (stored/reflected/DOM), CSRF, command injection, LDAP injection
Know malware types and characteristics: virus vs worm vs trojan vs ransomware vs rootkit
Understand password attacks: brute force, dictionary, rainbow table, password spraying, credential stuffing
Network attacks: on-path (MitM), ARP poisoning, DNS poisoning, replay, DoS/DDoS, amplification
Know the Cyber Kill Chain stages and MITRE ATT&CK framework purpose
For EACH attack, know the corresponding mitigation: input validation, MFA, patching, encryption, segmentation

Interactive Attack Simulators

See attacks in action in these safe sandboxes. No real systems are harmed.

SQL Injection Sandbox

See how unsanitized input leads to data theft

Type a username into this "login form." Try normal input first, then try: ' OR 1=1 -- or ' UNION SELECT * FROM users --

🌐 Login Form (vulnerable)

⚡ SQL Query Generated

SELECT * FROM users WHERE username = '___' AND password = '___'

📋 Database Table: users

idusernamerole

1adminadministrator

2jsmithuser

3dbadmindba

4svc_backupservice

Defense: Parameterized Queries

// VULNERABLE (string concatenation):
query = "SELECT * FROM users WHERE username = '" + input + "'"

// SAFE (parameterized query):
query = "SELECT * FROM users WHERE username = ?"
stmt.execute(query, [input])  // input treated as DATA, never code

XSS (Cross-Site Scripting) Playground

See how injected scripts execute in the browser

Type a "comment" into this guestbook. Try: <img src=x onerror="alert('XSS')"> or <script>document.cookie</script>

💬 Post a Comment (vulnerable)

🌐 Rendered Page (what the victim sees)

Comments will appear here...

Defense: Output Encoding + CSP

// VULNERABLE: directly inserting user input as HTML
element.innerHTML = userInput;

// SAFE: encode special characters before rendering
element.textContent = userInput;  // treats ALL input as text

// ALSO: Content Security Policy header
Content-Security-Policy: script-src 'self'  // blocks inline scripts

Brute Force Visualizer

Watch a password attack in real-time

See how password length and complexity affect cracking time. The password is pass. Click Start.

🔐 Target: SSH Login

📊 Stats

Attempts:0

Status:Idle

Current try:—

Phishing Email Analyzer

Examine this suspicious email. Click on each element to flag it as suspicious or mark it safe. Can you spot all the red flags?

From: Microsoft Security Team <alert@micros0ft-security.com>

To: employee@yourcompany.com

Subject: ⚠️ URGENT: Your account will be suspended in 24 hours

Reply-To: support-team-msft@gmail.com

Dear Customer,

We have detected unusual sign-in activity on your Microsoft 365 account. Multiple failed login attempts were recorded from an unrecognized device in Moscow, Russia.

Please verify your identity immediately to prevent account suspension:

Verify Now → https://microsoft.com/verify

Actual link: https://msft-verify.xyz/harvest/login.php

Failure to verify within 24 hours will result in permanent account deletion and loss of all data.

Click elements to flag them. 0/8 red flags found

Attack ↔ Defense Matcher

Match each attack to its best defense

Score: 0/0

Threats, Vulnerabilities & Mitigations

Why Study Attacks?

Key Terms

The Cyber Kill Chain

Attack Taxonomy

Security+ Exam Focus (Domain 2.0 — 22%)

Interactive Attack Simulators

SQL Injection Sandbox

XSS (Cross-Site Scripting) Playground

Brute Force Visualizer

Phishing Email Analyzer

Attack ↔ Defense Matcher

Knowledge Check

Threats, Vulnerabilities & Mitigations

Why Study Attacks?

Key Terms

The Cyber Kill Chain

Attack Taxonomy

Security+ Exam Focus (Domain 2.0 — 22%)

Interactive Attack Simulators

SQL Injection Sandbox

XSS (Cross-Site Scripting) Playground

Brute Force Visualizer

Phishing Email Analyzer

Attack ↔ Defense Matcher

Knowledge Check

Module Complete!