StackShield

Security Glossary

A developer-friendly guide to web application security terms, explained with Laravel examples.

Attack Types

Man-in-the-Middle Attack (MITM)

An attack where an adversary secretly intercepts and potentially modifies communication between two parties who believe they are communicating directly with each other. The attacker can read, inject, or alter data in transit.

Session Hijacking

An attack where an adversary takes over a valid user session by stealing or predicting the session identifier. Once the attacker has the session ID, they can impersonate the user and perform any action the user is authorized to do.

Brute-Force Attack

An attack method that tries every possible combination of credentials until the correct one is found. Brute-force attacks target login forms, API keys, encryption keys, and any authentication mechanism that does not limit the number of attempts.

DDoS (Distributed Denial of Service)

An attack that overwhelms a server or network with traffic from many sources simultaneously, making it unavailable to legitimate users. Unlike a simple DoS attack from one source, DDoS attacks use thousands of compromised devices (a botnet) to generate traffic that is difficult to filter.

Phishing

A social engineering attack where an attacker impersonates a trusted entity to trick victims into revealing sensitive information (credentials, financial data) or performing harmful actions (clicking malicious links, downloading malware). Phishing typically occurs via email but also through SMS, phone calls, and fake websites.

Email Security

SPF, DKIM, and DMARC

Three complementary email authentication standards that prevent email spoofing. SPF (Sender Policy Framework) specifies which servers can send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to verify emails were not tampered with. DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers how to handle emails that fail SPF/DKIM checks.

Infrastructure Security

SSL/TLS

Cryptographic protocols that provide encrypted communication between a client (browser) and server. SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). TLS 1.2 and 1.3 are the current standards. These protocols ensure data transmitted between users and your application cannot be intercepted or modified.

Subdomain Takeover

A vulnerability where a DNS record (usually a CNAME) points to an external service that is no longer controlled by the domain owner. An attacker can claim the abandoned service and serve their own content on the subdomain, which appears to be part of the legitimate domain.

DNS Security

The practice of protecting Domain Name System infrastructure from attacks and misconfigurations. DNS security includes preventing cache poisoning, unauthorized zone transfers, subdomain takeovers, and ensuring proper email authentication (SPF, DKIM, DMARC).

Security Concepts

Attack Surface

The total set of points where an attacker can try to enter or extract data from a system. This includes every API endpoint, open port, login form, file upload, third-party integration, and piece of infrastructure reachable from the outside.

Attack Vector

A specific method or path an attacker uses to exploit a vulnerability and gain unauthorized access to a system. While the attack surface is the total collection of entry points, an attack vector is the specific technique used against one of those entry points.

Vulnerability

A weakness in a system that can be exploited by an attacker to perform unauthorized actions. Vulnerabilities can exist in code, configuration, infrastructure, or processes. They range in severity from informational to critical.

Exploit

A piece of code, technique, or sequence of actions that takes advantage of a vulnerability to produce unintended behavior. Exploits turn theoretical vulnerabilities into actual security breaches.

Zero-Day Vulnerability

A vulnerability that is unknown to the software vendor and has no available patch. The term "zero-day" refers to the fact that developers have had zero days to fix the issue. Zero-day exploits are particularly dangerous because no defense exists until the vendor releases a patch.

Configuration Drift

The gradual, unintended divergence of a system's configuration from its intended state over time. Configuration drift happens through manual changes, deployment errors, package updates, or infrastructure modifications that are not tracked or reverted.

Security Practices

Penetration Testing

A simulated cyberattack performed by security professionals to evaluate the security of a system. Penetration testers (pentesters) attempt to exploit vulnerabilities using the same techniques real attackers would use, then provide a report of findings with remediation guidance.

Vulnerability Scanning

The automated process of identifying known security weaknesses in systems, networks, and applications. Vulnerability scanners compare your system against databases of known vulnerabilities (CVEs) and misconfigurations to produce a report of findings.

Rate Limiting

A technique that controls the number of requests a client can make to a server within a specified time period. Rate limiting protects against brute-force attacks, denial of service, API abuse, and web scraping by rejecting requests that exceed the defined threshold.

Security Standards

CVE (Common Vulnerabilities and Exposures)

A standardized identifier for publicly known security vulnerabilities. Each CVE entry includes a unique ID (e.g., CVE-2024-1234), a description, and severity rating. The CVE system is maintained by MITRE and used globally to track and reference vulnerabilities.

OWASP (Open Worldwide Application Security Project)

A nonprofit foundation that produces freely available tools, documentation, and standards for web application security. OWASP is best known for the OWASP Top 10, a list of the ten most critical web application security risks, updated every few years based on real-world data.

OWASP Top 10

A regularly updated list of the ten most critical security risks to web applications, published by the OWASP Foundation. The current version (2021) includes: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Server-Side Request Forgery.

Security Tools

External Attack Surface Management (EASM)

The continuous process of discovering, monitoring, and managing all internet-facing assets and their security posture from an external perspective. EASM tools scan your applications the way an attacker would, identifying exposed services, misconfigurations, and vulnerabilities visible from the outside.

Web Application Firewall (WAF)

A security tool that monitors and filters HTTP traffic between the internet and a web application. A WAF protects against common attacks like SQL injection, XSS, and request forgery by analyzing request patterns and blocking malicious traffic before it reaches your application.

Vulnerabilities

Cross-Site Scripting (XSS)

A vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as legitimate scripts, allowing the attacker to steal session tokens, redirect users, or modify page content.

Cross-Site Request Forgery (CSRF)

An attack where a malicious website tricks a user's browser into performing an unwanted action on a site where the user is authenticated. The browser automatically sends cookies with the request, so the target site processes it as a legitimate action from the user.

SQL Injection

A vulnerability where an attacker inserts malicious SQL code into a query through user input. If the application passes user input directly into SQL queries without sanitization, the attacker can read, modify, or delete data, and in some cases execute commands on the database server.

Security Misconfiguration

A security weakness caused by incorrect or incomplete configuration of applications, servers, databases, or infrastructure. Security misconfiguration is consistently in the OWASP Top 10 (A05) because it is extremely common and often easy to exploit.

Web Security

Security Headers

HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.

HTTP Strict Transport Security (HSTS)

A security header that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all future HTTP requests to HTTPS for the specified duration, preventing protocol downgrade attacks and cookie hijacking.

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls which domains can make requests to your web application. By default, browsers block cross-origin requests (requests from a different domain). CORS headers tell the browser which origins, methods, and headers are allowed.