Domain and vulnerability knowledge base

Name server and zone issues

What are name server and zone vulnerabilities?

Domain Name System, known as DNS, plays an important role by translating human-readable domain names such as security.gov.uk into IP addresses.

DNS name server and zone vulnerabilities are weaknesses in the systems that manage internet traffic. Attackers can exploit these flaws to target critical parts of the internet’s infrastructure, especially by taking advantage of how DNS works.

Dangling resources

What are dangling resource vulnerabilities?

Dangling resource vulnerabilities occur when system components, like DNS records, subdomains, or storage buckets, are not properly removed. These leftover elements can be hijacked by attackers to impersonate services or access sensitive data.

The most frequent issues involve DNS records that still point to services no longer in use. Attackers can register new services at those addresses and redirect traffic.

Subdomains are another high risk, if they’re not properly decommissioned, they can be reused to host fake websites that look legitimate, tricking users into sharing credentials or downloading malware.

Storage buckets and databases may also remain accessible after deletion, exposing sensitive files, backups, or configuration data that attackers can exploit.

Email configuration and security issues

What are email configuration and security vulnerabilities?

Email services rely heavily on DNS to work properly and stay secure. If your DNS settings are not secured, attackers can change your mail (MX) records and redirect emails to places they should not go.

Email security mechanisms like SPF, DKIM, and DMARC also depend on DNS records. If these are set up incorrectly, or not at all, it can make it easier for attackers to spoof your domain and send fake emails that look like they’re from you.

Even web-based protections like MTA-STS, which help secure email in transit, need DNS records to be published and correctly configured.

Certificates

What are certificate vulnerabilities?

Certificates, commonly known as SSL/TLS certificates, are digital credentials that enable secure communication between a user’s browser and a web server.  

Without a valid SSL/TLS certificate, encrypted communication between users and the server is disrupted, potentially exposing sensitive data to interception.

An expired or broken web certificate will cause a browser to flag the site as ‘untrusted’ or ‘not secure’ and can pose a risk to security, trust, and business continuity by deterring users from using it and damaging credibility.

Broken access control

What are broken access control vulnerabilities?

A broken access control vulnerability occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do.

Attackers can exploit these flaws to gain unauthorised access to sensitive data, modify information, or perform actions they should not have the permissions for.

This also includes privilege escalation, where a low-privilege user can access functionality or data reserved for administrators.

The core issue is that the application trusts the user and doesn’t adequately verify if they are authorised to perform a specific action, leading to a breach of the principle of least privilege.

Cryptographic failure

What are cryptographic failure vulnerabilities?

Cryptographic failure vulnerabilities happen when encryption is poorly implemented, uses weak keys, or relies on outdated methods. These flaws can give attackers a way to bypass security and access sensitive data.

Older systems often still use weak encryption algorithms that can now be broken using modern computing power. If encryption keys or certificates are mishandled, attackers can intercept and read secure communications in real time.

Once a key is compromised, encryption becomes useless. That’s why keys must be stored securely, rotated regularly, and protected with strong access controls like multi-factor authentication.

Keeping certificates and private keys safe is just as important as using strong encryption itself.

Injection

What are injection vulnerabilities?

Injection is a vulnerability that occurs when an application sends untrusted user input to a code interpreter without proper sanitization. This allows an attacker to inject their own commands into a query or request, tricking the system into executing unintended actions. 

This category covers a wide range of attacks, including:

• SQL Injection (SQLi) which manipulates database queries
• Cross-Site Scripting (XSS) which injects malicious scripts into web pages
• OS Command Injection which can lead to remote code execution on the server. 

The impact of a successful injection attack can be severe, potentially leading to data breaches, complete system compromise, and denial of service.

Security misconfiguration

What are security misconfiguration vulnerabilities?

Security misconfiguration vulnerabilities happen when systems or applications are set up with weak or incorrect security settings.

This often results from human error, either due to a lack of knowledge or rushing through setup without proper planning.

Common examples include leaving default usernames and passwords unchanged, enabling unnecessary features, or giving excessive access permissions.

These mistakes make it easier for attackers to find and exploit systems.

Other risks include leaving debugging tools active in live environments, which can expose sensitive information, and misconfigured cloud services that allow too much access.

Attackers often use automated tools to scan for these weaknesses and exploit them quickly.

Keeping systems properly configured and regularly reviewed helps reduce these risks and protect against attacks.

Vulnerable and outdated components

What are vulnerable and outdated components?

Vulnerable and outdated components are a security risk because modern applications are built from many third-party libraries, frameworks, and modules.

The core problem lies in the use of components with known, publicly disclosed vulnerabilities, often identified by a Common Vulnerabilities and Exposures (CVE) number.

A single outdated component containing a vulnerability can expose the entire system to attack, leading to data breaches or complete compromise. Attackers frequently use automated tools to scan for these known flaws, making this an easy and common entry point.

Organisations should actively manage their software supply chain using a Software Composition Analysis (SCA) approach. This proactive management is critical to ensure that all software and operating systems are continuously kept up to date and secure.

Identification and Authentication Failures

What are identification and authentication failure vulnerabilities?

Identification and authentication vulnerabilities are weaknesses or misconfigurations within systems that verify user identities and grant access to resources.

The fundamental security principle of least privilege access makes sure only authorised individuals can access data and systems relevant to them.

Vulnerabilities in these systems create entry points for attackers to assume legitimate user identities allowing security controls to be bypassed.

These types of vulnerabilities often revolve around granting too much access to resources than is intended, due to underlying weakness in how identity and authentication is configured and implemented.

This category also extends to design and implementation weaknesses, for example, such as not requiring multi-factor authentication and only relying on username and password.

Server Side Request Forgery (SSRF)

What are SSRF vulnerabilities?

SSRF is a vulnerability where an attacker manipulates a web application into making unauthorised requests on their behalf.

By tricking a server into accessing a user-specified URL, attackers can use the trusted application as a bridge to scan and map an organisation’s internal network, which is typically hidden behind firewalls.

This allows attackers to read sensitive local files, like credentials or configuration data, and bypass network security controls, potentially leading to a complete compromise of the internal network and exposure of critical data.

Open ports

What are open port vulnerabilities?

Open port vulnerabilities happen when network services are left exposed without proper security controls. These ports act like unlocked doors, giving attackers a way into systems and sensitive data.

Common risks include database ports like MySQL, PostgreSQL, or MongoDB being accessible from the internet, often with weak or default passwords.

Remote access services like SSH, RDP, and Telnet are also targets for brute force attacks when left open to untrusted networks. Devices and systems that still use default settings, including admin usernames and passwords, are especially easy for attackers to exploit.

Attackers use open ports to scan and gather information about systems, such as software versions and potential weaknesses.

Every unnecessary open port increases the chance of a successful attack, making it vital to close unused ports, monitor network activity and secure configurations from the start.