Domain 2 – Section B Review: Vulnerability Categories

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations Section B — Vulnerability Categories Review 10 Questions

This section integrates:

Application and Software Vulnerabilities
Operating System and Hardware Vulnerabilities
Cloud and Virtualization Vulnerabilities
Web and Mobile Application Vulnerabilities

Security+ expects you to identify vulnerability types across different platforms and understand how they are exploited.

1. Application and Software Vulnerabilities

Software vulnerabilities arise from coding errors, design flaws, and inadequate input validation:

Most application vulnerabilities exist because input was trusted when it should not have been.

Buffer overflow — writing beyond allocated memory, enabling code execution.
SQL injection — inserting malicious queries through unvalidated input fields.
Cross-site scripting (XSS) — injecting scripts into web pages viewed by other users.
Race conditions — exploiting timing dependencies between operations.
Memory leaks — failing to release allocated memory, causing degradation.

The defense pattern is consistent: validate input, enforce least privilege, and apply patches promptly.

2. OS and Hardware Vulnerabilities

Operating systems and hardware introduce vulnerabilities at the platform level:

Unpatched systems — known vulnerabilities left exposed.
Default configurations — factory settings with weak or no credentials.
End-of-life software — no longer receiving security updates.
Firmware vulnerabilities — low-level code that is difficult to update.
Hardware root of trust failures — compromised TPM or secure boot.

If the operating system is compromised, every application running on it is compromised.
If the hardware is compromised, the entire trust chain collapses.

3. Cloud and Virtualization Risks

Cloud and virtual environments introduce shared responsibility and multi-tenancy risks:

VM escape — breaking out of a virtual machine to access the hypervisor.
Misconfigured cloud storage — publicly exposed buckets and blobs.
Insecure APIs — cloud service interfaces without proper authentication.
Shared responsibility confusion — assuming the provider handles security the customer owns.
Resource exhaustion — noisy neighbor effects in shared environments.

Cloud does not eliminate risk — it shifts where the risk lives.

4. Web and Mobile Attack Surfaces

Web and mobile applications expand the attack surface through client-side code and network exposure:

CSRF (Cross-Site Request Forgery) — forcing authenticated users to perform unwanted actions.
Insecure direct object references — manipulating parameters to access unauthorized data.
Jailbreaking/rooting — removing mobile OS security restrictions.
Sideloading — installing apps from untrusted sources.

The browser is the new perimeter. The mobile device is the new endpoint.

Section B Decision Pattern

When unsure in Domain 2 Section B:

Classify the vulnerability by platform (application, OS, cloud, mobile).
Identify the root cause — input validation, configuration, or design.
Match the exploit to the specific vulnerability type.
Apply the shared responsibility model for cloud questions.
Remember: patching is always the most direct remediation for known vulnerabilities.

Section B – Practice Questions

Question 1

A web application allows users to search a product catalog. An attacker enters ' OR 1=1 -- into the search field and gains access to all database records. What vulnerability was exploited?

A. SQL injection
B. Cross-site scripting
C. Buffer overflow
D. Cross-site request forgery

Answer & reasoning

Correct: A

The input ' OR 1=1 -- is a classic SQL injection payload. The application passes unvalidated user input directly into a SQL query, allowing the attacker to manipulate the query logic and retrieve all records.

Question 2

A company migrates to a cloud provider and assumes the provider manages all security. After a data breach caused by a misconfigured storage bucket, who is responsible?

A. The cloud provider exclusively
B. The customer exclusively
C. Both, under the shared responsibility model
D. Neither — it is a regulatory failure

Answer & reasoning

Correct: B

Under the shared responsibility model, the cloud provider secures the infrastructure, but the customer is responsible for configuring their own resources. A misconfigured storage bucket is the customer's responsibility. The provider secures the platform; the customer secures what they put on it.

Question 3

A security scan reveals a server running Windows Server 2012, which reached end of life. What is the PRIMARY risk?

A. Reduced performance
B. Higher licensing costs
C. Incompatible applications
D. No new security patches from the vendor

Answer & reasoning

Correct: D

End-of-life software no longer receives security updates. Any newly discovered vulnerabilities will remain unpatched, creating permanent exposure. This is the primary risk because it directly affects the system's ability to resist attacks.

Question 4

An attacker exploits a vulnerability in a virtual machine to gain access to the hypervisor and other VMs on the same host. What type of attack is this?

A. VM escape
B. Container breakout
C. Resource exhaustion
D. API exploitation

Answer & reasoning

Correct: A

VM escape occurs when an attacker breaks out of a virtual machine's isolation to access the hypervisor or other VMs. This compromises the fundamental security boundary that virtualization provides.

Question 5

A developer stores user session tokens in the URL. An attacker accesses these tokens through browser history and referrer headers. What vulnerability category does this represent?

A. Buffer overflow
B. Insecure direct object reference
C. Improper session management
D. Cross-site scripting

Answer & reasoning

Correct: C

Storing session tokens in URLs is improper session management. Tokens in URLs are logged in browser history, server logs, and referrer headers, making them accessible to attackers. Session tokens should be stored in secure cookies or headers, not in the URL.

Question 6

An IoT device ships with a default username of "admin" and password of "admin." The manufacturer does not require a password change during setup. What is the PRIMARY vulnerability?

A. Buffer overflow
B. Firmware vulnerability
C. Default credentials
D. Insecure API

Answer & reasoning

Correct: C

Default credentials are a well-known vulnerability. When devices ship with predictable credentials and do not force a change, attackers can easily gain access using publicly documented default passwords.

Question 7

A user jailbreaks their corporate iPhone to install an app not available in the App Store. What security risk does this PRIMARILY introduce?

A. Increased battery consumption
B. Removal of built-in OS security controls
C. Violation of the service contract
D. Network bandwidth overuse

Answer & reasoning

Correct: B

Jailbreaking removes the iOS sandbox and other built-in security controls. This allows unsigned code to run, bypasses app store vetting, and exposes the device to malware and exploits that the OS would normally prevent.

Question 8

A web application displays user-submitted comments without sanitization. An attacker submits a comment containing JavaScript that steals cookies from other visitors. What vulnerability is this?

A. SQL injection
B. Server-side request forgery (SSRF)
C. Cross-site request forgery (CSRF)
D. Cross-site scripting (XSS)

Answer & reasoning

Correct: D

This is stored (persistent) cross-site scripting. The attacker injects malicious JavaScript through the comment field, and the script executes in the browsers of other users who view the comment. The root cause is failure to sanitize user input before rendering it.

Question 9

A cloud API endpoint allows unauthenticated requests to list all storage objects in a tenant's account. What is the MOST appropriate classification?

A. Insecure API
B. VM escape
C. Resource exhaustion
D. Misconfigured firewall

Answer & reasoning

Correct: A

An API that allows unauthenticated access to sensitive operations is an insecure API. Cloud APIs must enforce authentication, authorization, and rate limiting. Allowing unauthenticated listing of storage objects exposes the tenant's data to anyone who discovers the endpoint.

Question 10

A C program copies user input into a fixed-size buffer without checking the length. An attacker sends input that overflows the buffer and overwrites the return address to execute malicious code. What vulnerability is this?

A. SQL injection
B. Race condition
C. Buffer overflow
D. Memory leak

Answer & reasoning

Correct: C

Buffer overflow occurs when a program writes beyond the allocated buffer boundary. By overwriting the return address, the attacker redirects execution to malicious code. The root cause is the failure to validate input length before copying it into a fixed-size buffer.