Privilege Escalation: How Attackers Gain Unauthorised System Control

May 14, 2026

Privilege Escalation is the exploitation of a security flaw to access resources normally protected from a user or application. It can allow a low-privileged user to act as a system administrator — opening files, modifying accounts, or destroying Active Directory.

Two Types of Privilege Escalation

TypeDescriptionExample
HorizontalAccess resources belonging to a peer with similar permissionsViewing another user’s banking data
VerticalAccess resources belonging to a higher-privileged accountRegular user gaining root/admin access

Privilege Separation Architecture

A well-designed service splits into a privileged monitor and unprivileged slaves. The slave requests the monitor to perform privileged operations; the monitor validates each request before executing. This minimises the privileged code surface exposed to attack.

  • Pre-Authentication Phase: Unprivileged child has no process privileges or file system access.
  • Post-Authentication Phase: Child gets user-level privileges only; special operations still route through the privileged parent.

Mitigation Guidance

  • Apply the Principle of Least Privilege throughout all service accounts and processes.
  • Remove unused services and applications from network devices.
  • Enforce strict password policies and disable unused accounts.
  • Tighten default access permissions — Windows “Everyone” group should not be the default.
  • Regularly audit log files and baseline system files for anomalies.

Zero-Day Attacks: What They Are and How to Defend Against Them

May 14, 2026

A Zero-Day Attack exploits a security vulnerability for which no patch exists. The term means developers have had zero days to address the flaw — it may even be unknown to them when exploitation begins.

The Window of Exposure — Five Phases

PhaseDescription
Pre-DiscoveryVulnerability exists but no one has identified it
DiscoveryIdentified but not yet announced
AnnouncementPublicly disclosed — attackers become aware
ExploitAutomated exploit code published
PatchVendor releases a fix

Real-World Example: PowerPoint Zero-Day

Malicious .ppt files exploited a memory-access error in Microsoft PowerPoint 2000–2003 and Office 2004 for Mac, allowing remote code execution with the logged-in user’s privileges. Microsoft recommended using the Office Isolated Conversion Environment (MOICE) as an interim workaround.

Zero-Day Protection Architecture

  • Protocol Anomaly Detection — blocks traffic not conforming to protocol standards.
  • Pattern Matching — removes high-risk file types by inspecting full packet payloads.
  • Behaviour Analysis — identifies suspicious behaviours including DoS, DDoS, and port scans.

Defence Recommendations

  • Apply the Principle of Least Privilege for all user access controls.
  • Restrict active code (JavaScript, ActiveX) execution in browsers.
  • Use Group Policy Objects in Active Directory to limit user access.
  • Do not rely solely on antivirus — zero-day exploits evade signature detection until new signatures are released.

Brute Force Attacks: How Attackers Crack Passwords and How to Stop Them

May 14, 2026

Brute Force Attacks use exhaustive trial-and-error to guess authentication credentials — usernames, passwords, credit-card numbers, or cryptographic keys — by systematically testing all possible combinations.

Normal vs Reverse Brute Force

TypeMechanism
NormalSingle username tested against many passwords
ReverseMany usernames tested against one common password (e.g., “123456”)

Session ID and URL Parameter Attacks

Beyond login credentials, brute force tools can target session IDs in URLs, iterating thousands of values to find valid sessions or access unauthorised resources.

http://exampledoc.com/note.jsp?msgID=12345
← attacker iterates msgID values to read other users' messages

Prevention Techniques

  • Use long, truly random passwords not based on dictionary words.
  • Change passwords frequently to limit exposure after a compromise.
  • Block IPs attempting access to more than three accounts simultaneously.
  • Restrict failed login attempts before triggering account lockout or a time delay.
  • Destroy the session after too many consecutive retries.
  • Monitor HTTP POST requests from login forms for anomalous volumes.
  • Review server log files regularly for suspicious login patterns.

Directory Indexing Attacks: When Your Web Server Reveals Too Much

May 14, 2026

Directory Indexing occurs when a web server displays a file listing of a directory instead of the intended web page — typically because no default file (index.html, home.html, etc.) is present. While potentially harmless alone, it creates an information leakage vector that aids further attacks.

What Attackers Can Discover

  • Backup files with extensions .bak, .old, .orig
  • Temporary files not properly purged from the server
  • Hidden files starting with a period (.)
  • Naming conventions that reveal directory and admin path structure
  • Configuration files (.conf, .cfg) containing access control data
  • Script code in /cgi-bin/ if permissions are misconfigured

Controlling Indexing with .htaccess

# Disable all directory listing
Options -Indexes
# Block all files from appearing in listings
IndexIgnore *

The .htaccess file must be uploaded as ASCII (not binary) and set to permissions 644 to prevent browsers from reading it directly.

Prevention Guidance

  • Disable directory indexing in the web server’s Options Directive unless specifically required.
  • Use mod_security to detect directory-listing output in the HTTP response stream.
  • Ensure all directories that should not be browsable have a default index file or explicit deny rule.
  • Audit web server configurations after any structural changes.

Information Leakage Attacks: How Applications Unintentionally Reveal Sensitive Data

May 14, 2026

Information Leakage occurs when a web application unintentionally exposes sensitive data — through developer comments, verbose error messages, or plaintext content — that aids an attacker in planning SQL Injection, XSS, or other targeted attacks.

Three Categories of Information Leakage

CategoryExample
Comments in CodeHTML comment exposing server name: <!--If missing, restart VADER-->
Verbose Error MessagesSQL error revealing query structure and parameter names
Confidential Data in Plain SightCredentials or connection strings in source HTML

SQL Error Message Attack Example

Placing an apostrophe in a login field may trigger a verbose error such as:

System.Data.OleDb.OleDbException: Syntax error (missing operator)
in query expression 'username = ''' and password = 'g''

This reveals the username and password parameter names — exactly what an attacker needs to craft a SQL Injection payload.

Prevention Guidance

  • Filter all outbound data from web applications before sending to the client.
  • Intercept verbose database error messages and substitute a generic HTTP 500 response.
  • Strip all developer comments from HTML before deployment.
  • Redirect errors to a user-facing page that discloses no internal detail.
  • Transmit server-to-client data in encrypted form.
  • Remove or suppress server banners and version information.

SMTP-AUTH: Securing Email Transmission and Preventing Spam Relay

May 14, 2026

SMTP was designed without any security features — messages are transmitted as unencrypted ASCII and can be easily forged. There is no mechanism for verifying sender identity or message integrity. SMTP-AUTH addresses this by requiring clients to authenticate with the mail server before sending.

SMTP Security Risks Without AUTH

  • Email messages can be read by any party along the routing path.
  • Messages can be forged with a fictitious or stolen “From” address.
  • No message integrity or sender verification guarantees exist.
  • SMTP flooding attacks overwhelm servers by opening massive numbers of simultaneous connections.

SMTP-AUTH Benefits

  • Allows legitimate users to send mail from any IP worldwide — essential for mobile workers.
  • Denies relay service to spammers and unauthorised users.
  • Supports alternate SMTP ports, bypassing ISP blocks on the default port 25.
  • Creates an audit trail for tracing the source of spoofed or abusive email.

HTTP Verb Tampering: Bypassing Security Controls with Unexpected HTTP Methods

May 14, 2026

HTTP Verb Tampering exploits Verb-Based Authentication and Access Control (VBAAC) mechanisms. When security rules explicitly list which HTTP methods are allowed, they inadvertently permit all unlisted methods. Attackers use HEAD, TRACE, or arbitrary strings like “JEFF” to bypass security constraints entirely.

The VBAAC Flaw (Java EE Example)

<security-constraint>
  <web-resource-collection>
    <url-pattern>/admin/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint><role-name>admin</role-name></auth-constraint>
</security-constraint>

This rule intends to restrict /admin/* to admins. In practice, a HEAD or “JEFF” request bypasses the rule and executes the admin function without authentication.

Avoid Sending Sensitive Data via GET

# NEVER — card number is logged in clear text in server logs:
http://www.example.com/process_card.asp?cardnumber=1234567890123456

Prevention Guidance

  • Enable “deny all” as the default — protect all HTTP methods, not just listed ones.
  • Remove all <http-method> elements from web.xml to protect methods equally.
  • Configure the server to disallow HEAD requests entirely.
  • Ensure all GET-accessible functions are idempotent (read-only, no state changes).

Site Probing: How Attackers Scan and Map Your Web Application

May 14, 2026

Site Probing is the initial reconnaissance phase of any web application attack. The attacker systematically maps the web application’s structure, pages, parameters, OS, database, and infrastructure — building a complete profile before launching targeted exploits.

Probing Methodology

  1. OS Detection: Identify via HTTP response headers, file extensions, or automated tools.
  2. Infrastructure Mapping: Directory traversal, database server identification, content platform discovery.
  3. Application Scanning: Map all pages, dynamic parameters, cookies, and transaction flows.

Attacker Techniques During Probing

TechniqueGoal
Non-Existent URLsGenerate error messages that reveal application structure
Long Parameter ValuesDetect buffer overflow candidates
Unauthorized Path AccessFind unprotected admin paths (/iisadmin/, /iissamples/)
Adding/Removing ParametersIdentify required vs optional parameters per URL

Important: Ports 80 and 443 must remain open for business. Traditional firewalls and IDS/IPS do not protect against application-layer probing — a dedicated Web Application Firewall (WAF) is required.

Prevention Guidance

  • Disable unnecessary protocols and lock down ports with firewall rules.
  • Configure web servers to suppress banner information.
  • Deploy an IDS configured to detect and reject scanning patterns.

E-mail Spoofing: Forged Emails and How to Detect and Prevent Them

May 14, 2026

E-mail Spoofing is the forgery of an email header so that a message appears to originate from someone or somewhere other than the actual source. Since SMTP does not require authentication, a sender can set any “From” address — whether fictitious or stolen.

Why Spoofed Email is Dangerous

  • Tricks users into changing passwords or sending sensitive files (impersonating IT admins).
  • Facilitates social engineering by impersonating people in authority.
  • If your address is used as the return address for spam, your domain may be added to blocklists.

Prevention Guidance

  • Cryptographic Signatures: Use PGP or S/MIME to digitally sign and authenticate email.
  • SMTP Port Lockdown: Prevent direct external SMTP connections to your mail server.
  • SMTP-AUTH: Require authentication for all outbound relay.
  • Centralised Logging: Route all inbound SMTP through a single hub for unified log analysis.
  • User Education: Train users to never disclose passwords via email regardless of sender identity.
  • Domain Name Checks: Verify source domain existence on the recipient server (SPF records).

Scareware: How Fake Security Alerts Trick Users into Installing Malware

May 14, 2026

Scareware is malware that exploits users’ fear of online threats. It presents alarming pop-up messages claiming the device is infected, then pressures the user into purchasing fake “security software” — which is itself malicious or completely useless.

“CRITICAL ERROR MESSAGE! — REGISTRY DAMAGED AND CORRUPTED.” | “WARNING: YOUR COMPUTER IS VULNERABLE! CLICK HERE TO PROTECT YOURSELF!”

How Scareware Works

  1. A user visits a legitimate site but is redirected to a malicious page that runs a fake security scan.
  2. The fake scan reports malware and generates urgent pop-ups urging software purchase.
  3. The purchased “fix” is either useless or actual malware installed on the system.

Scareware infections reached nearly 8 million in the second half of 2008 — a 48% increase from the prior six months (Microsoft Security Intelligence Report, 2009).

Warning Signs

  • Unsolicited ads promising to delete viruses, improve performance, or clean the registry.
  • Pop-ups claiming your antivirus is out-of-date and your machine is in immediate danger.
  • Unfamiliar websites initiating security scans without user action.
  • Pressure to download free “security scanners.”

Prevention Guidance

  • Shut down the browser immediately — do NOT click “No,” “Cancel,” or ✕. Use Task Manager (Ctrl+Alt+Del → End Task).
  • Search the software name in a search engine before downloading anything.
  • Legitimate antivirus vendors never use browser ads to alert users about infections.
  • Always update antivirus through the application’s own control panel, never through pop-up prompts.