Web-Based and Mobile Device Vulnerabilities

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations B — Vulnerability Categories 12–15 minutes

What the Exam Is Really Testing

What happens when a user's browser becomes the attack surface? Or when the phone in someone's pocket bypasses every security control your organization spent years building?

Web applications and mobile devices share something in common: they operate at the edges of your security perimeter, where user behavior and platform trust intersect.

Identify web application vulnerabilities that target session management and file system access, and recognize mobile device risks that bypass platform security controls.

This module builds on the application vulnerabilities covered in Module 11 by focusing on web-specific session attacks and the mobile-specific risks that come from devices operating outside traditional network perimeters.

Web Application Vulnerabilities

Directory Traversal

Directory traversal (also called path traversal) exploits insufficient input validation on file path parameters. The attacker manipulates file path references to access files and directories outside the intended web root.

A typical attack uses ../ sequences to navigate up the directory tree:

https://example.com/page?file=../../../../etc/passwd

If the application does not validate or sanitize the file path, it returns the contents of the system password file instead of the intended page.

Directory traversal can expose:

Configuration files with credentials and connection strings
Application source code revealing logic and vulnerabilities
System files providing OS and infrastructure details
Log files containing sensitive user activity data

Mitigation: validate and sanitize all file path inputs, use chroot jails to restrict file system access, and implement allow-listing for accessible files rather than relying on blocking malicious patterns.

Cookie Manipulation

Cookies store session identifiers, user preferences, and sometimes authentication tokens in the user's browser. Cookie manipulation occurs when an attacker modifies cookie values to alter application behavior.

Attack scenarios include:

Changing a role=user cookie to role=admin to escalate privileges
Modifying a shopping cart cookie to change prices
Altering user ID values to access another user's account

These attacks succeed when applications store sensitive state information in client-side cookies without server-side validation or integrity protection.

Mitigation: never trust client-side data for authorization decisions, use server-side session management, and implement cookie integrity checking through signing or encryption.

Session Hijacking

Session hijacking steals or forges a user's session identifier to impersonate them. Once an attacker has a valid session ID, the server treats them as the legitimate user.

Common session hijacking methods:

Session sniffing — Intercepting session tokens transmitted over unencrypted connections
XSS-based theft — Using cross-site scripting to steal session cookies via JavaScript
Session fixation — Forcing a user to authenticate with a session ID the attacker already knows
Session prediction — Guessing session IDs when they follow a predictable pattern

Mitigation: use HTTPS for all authenticated sessions, set the HttpOnly and Secure flags on session cookies, regenerate session IDs after authentication, and implement session timeout policies.

Mobile Device Vulnerabilities

Sideloading

Sideloading installs applications from sources outside the official app store, bypassing the security review, code signing verification, and malware scanning that app stores provide.

Sideloaded apps may:

Contain malware disguised as legitimate applications
Request excessive permissions to access contacts, location, camera, or files
Lack security updates since they are not managed through official channels
Include modified versions of legitimate apps with injected malicious code

On Android, sideloading requires enabling "Install from unknown sources." On iOS, sideloading typically requires enterprise certificates or jailbreaking. The exam treats sideloading as a significant risk that bypasses platform security controls.

Jailbreaking and Rooting

Jailbreaking (iOS) and rooting (Android) remove the manufacturer's security restrictions on a mobile device, granting the user — and any installed application — full administrative access.

Security implications:

Removes sandboxing that isolates applications from each other
Disables code signing verification, allowing unsigned apps to run
Bypasses built-in security controls like Secure Boot and integrity checking
Voids manufacturer support and may prevent security updates
Any application can access any data on the device, including corporate data

For the exam, jailbroken and rooted devices are considered compromised. The correct organizational response involves MDM policies that detect and block jailbroken/rooted devices from accessing corporate resources.

Insecure Connections

Mobile devices frequently connect to untrusted networks — public Wi-Fi, hotel networks, airport hotspots. These connections expose data to interception because:

Applications may not enforce TLS for all connections
Certificate validation may be disabled or improperly implemented
Users may dismiss certificate warnings without understanding the risk
Evil twin attacks create convincing fake access points

Mitigation: enforce VPN connections for corporate data access, require TLS for all application communications, implement certificate pinning for critical applications, and train users to avoid connecting to untrusted networks.

MDM Bypass

Mobile Device Management (MDM) enforces security policies on enrolled devices: password requirements, encryption, remote wipe capability, app restrictions, and configuration profiles. MDM bypass circumvents these controls.

Bypass methods include:

Unenrolling the device from MDM management
Jailbreaking or rooting to disable MDM enforcement agents
Using a personal device without MDM enrollment to access corporate data
Exploiting MDM platform vulnerabilities to modify or remove policies

On the exam, MDM bypass is treated as a policy enforcement failure. The correct response involves conditional access policies that verify device compliance before granting access to corporate resources.

Pattern Recognition

When you encounter web or mobile vulnerability questions:

Is the attack targeting the web server, the browser, or the mobile device?
What trust boundary is being crossed?
Is the vulnerability about input validation, session management, or platform security?
Does the mitigation belong at the application, network, or device management layer?

Pattern shortcuts:

../ in a URL parameter = directory traversal
Modified cookie values changing user role = cookie manipulation
Stolen session token used to impersonate a user = session hijacking
App installed from outside the app store = sideloading
Device with removed security restrictions = jailbreaking/rooting
MDM policies not enforced = MDM bypass

Trap Patterns

Common traps:

Confusing directory traversal with SQL injection. Directory traversal accesses files on the file system. SQL injection accesses data in a database. Both exploit input validation failures, but the target is different.
Treating cookie manipulation as always possible. Cookie manipulation only works when the server trusts client-side cookie values for security decisions without verification. Properly implemented applications validate all client-side data server-side.
Assuming VPN solves all mobile risks. VPN protects data in transit but does not address sideloading, jailbreaking, or device-level vulnerabilities. The exam expects layered mobile security.
Thinking jailbreaking only affects the user. In a BYOD or corporate device scenario, jailbreaking affects the entire organization because corporate data on the device is no longer protected by platform security controls.

Scenario Practice

Question 1

A web application vulnerability scan reveals that the URL parameter download?file=report.pdf can be manipulated to access download?file=../../../etc/shadow, returning the system's password hash file.

Which vulnerability is present?

Answer & reasoning

Answer: Directory traversal

The application allows ../ sequences in file path parameters, enabling navigation outside the intended directory. The attacker accessed a system file by traversing up the directory tree from the web application's file directory.

The fix is input validation that strips or rejects path traversal sequences and restricting the application's file system access to specific directories.

Question 2

A company's MDM solution detects that an employee's phone has been jailbroken. The phone has access to corporate email, cloud storage, and internal applications. The employee claims they jailbroke the phone to install a custom keyboard app.

What is the MOST appropriate response?

Answer & reasoning

Answer: Block the device from accessing corporate resources until the jailbreak is removed

Regardless of the employee's intent, a jailbroken device has removed platform security controls that protect corporate data. Application sandboxing, code signing, and integrity checking are disabled. The device should be blocked from corporate access until it is restored to a compliant state.

The employee's reason for jailbreaking is irrelevant to the security risk. Intent does not change the vulnerability.

Question 3

A security analyst discovers that an attacker intercepted a session cookie over an unencrypted Wi-Fi connection and used it to access a user's online banking session from a different device.

Which web vulnerability was exploited, and what is the PRIMARY mitigation?

Answer & reasoning

Answer: Session hijacking, mitigated primarily by enforcing HTTPS with Secure cookie flags

The attacker captured the session cookie over an unencrypted connection (session sniffing) and replayed it. Enforcing HTTPS ensures session cookies are encrypted in transit, and the Secure cookie flag prevents cookies from being sent over unencrypted connections.

Additional mitigations include HttpOnly flags (preventing JavaScript access to cookies) and session binding to client characteristics.

Key Takeaway

Web vulnerabilities exploit trust in user input and session management. Directory traversal gets at the file system through path manipulation. Session hijacking steals authenticated access without ever needing credentials. The fix for both starts with the same principle: never trust client-side data.

Mobile vulnerabilities exploit trust in device integrity. Jailbreaking and rooting strip away the platform controls that keep corporate data isolated. MDM only works when compliance is verified, not just assumed.

Never trust client-side data. Never trust an unmanaged device. Validate everything.