Guess the Vulnerability
A user enters ' OR '1'='1 into a login field and is successfully logged in as the admin without a password.
SQL Injection
This application layer protocol is used to transmit web pages, but its insecure version sends all data in "plaintext."
HTTP
This "Network Mapper" is the industry standard for port scanning and service discovery.
This security measure prevents automated attacks by requiring a user to complete a simple test that is easy for humans but difficult for computers.
CAPTCHA
In 2017, this credit bureau suffered a massive breach exposing 147 million people’s data because they failed to patch a known vulnerability in Apache Struts.
Equifax
An attacker notices that a website displays their name exactly as typed in a profile field, so they change their name to <script>alert('Hacked')</script>.
Cross-Site Scripting (XSS)
This 48-bit hardware address is unique to every Network Interface Card (NIC) and operates at the Link Layer.
MAC Address
This web-based tool uses "Recipes" to easily decode, hex-dump, or manipulate data formats.
CyberChef
This common attack involves trying every single word in a pre-compiled list to crack a password.
Dictionary Attack
This 2013-2016 breach remains the largest in history, with the company eventually admitting that all 3 billion of its user accounts were compromised.
Yahoo Data Breach
A developer uses the strcpy() function in C to copy user input into a fixed-size 16-byte buffer without checking the length of the input first.
Buffer Overflow
This type of attack involves an adversary spoofing ARP responses to sit between a victim and the gateway.
Man-in-the-Middle (MITM) Attack
This versatile networking tool can be used to open TCP connections, send UDP packets, and listen on arbitrary ports.
Netcat
This is a random string of data added to a password before it is hashed, ensuring that two users with the same password have different hash outputs.
Salt
This computer worm, discovered in 2010, was a joint US-Israeli project designed to physically sabotage centrifuges in an Iranian nuclear facility.
Stuxnet
A user logged into their bank account visits a malicious site in another tab. That site secretly submits a "Transfer Money" form to the bank's website using the user's active session.
Cross-Site Request Forgery (CSRF)
This networking device operates at the internet layer and uses IP addresses to determine the best path for data packets.
Router
Developed by PortSwigger, this web proxy tool is essential for intercepting and modifying HTTP requests.
Burp Suite
This pre-computed table is used to reverse cryptographic hash functions, usually for cracking password hashes in seconds by trading storage space for time.
Rainbow Table
This 1988 event, created by a Cornell graduate student, was the first large-scale automated "worm" to spread across the early internet (ARPANET).
Morris Worm
A web app allows users to view their profile at example.com/user/1234. An attacker changes the URL to example.com/user/1235 and successfully views another user's private data.
Insecure Direct Object Reference (IDOR)
This specific ICMP message type is returned when a packet's "Time to Live" (TTL) reaches zero.
Time Exceeded
This specialized Linux distribution comes pre-installed with hundreds of tools for penetration testing and auditing.
Kali Linux
This attack occurs when an attacker uses a database of leaked usernames and passwords from one service to gain unauthorized access to accounts on other unrelated services.
Credential Stuffing
In 2021, this major US fuel pipeline paid a $4.4 million ransom to the DarkSide group after a ransomware attack caused widespread gas shortages.
Colonial Pipeline