| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 21.3 - Application Attacks
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns from malicious code to attacks on the applications themselves within Domain 8. It names the patterns that live in the software organizations write and buy, from buffer overflows and timing attacks to backdoors, privilege escalation, and the fresh risks that arrive when applications learn to think.
What this episode covers
- Buffer overflows — oversized input spills into neighboring memory, so validate length, type, and value.
- Timing as a weapon — a time-of-check to time-of-use race lets attackers swap a resource mid-operation.
- Race and state attacks — exploiting changes in system state between two ordered steps.
- Backdoors — undocumented entrances that bypass access checks and sit outside your controls.
- Privilege escalation — rootkits exploit known OS flaws to turn a small foothold into full control.
- Steady patching — consistent, current patching shuts the door on the flaws rootkits rely on.
- AI and machine learning risks — model hijacking, data poisoning, inversion, and supply-chain attacks, defended by validation and monitoring.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is a buffer overflow, and why does it keep happening?
A buffer overflow happens when a program accepts input larger than the space set aside to hold it, so the extra data spills past its reserved memory and corrupts whatever sits next door. In the worst case it overwrites executable instructions, letting an attacker run commands of their choosing. The root cause is missing input validation, so you must check input for length, correct type, and sensible values before it is ever used.
How does timing become a weapon in a race condition?
The classic pattern is a time of check to time of use attack. The program first verifies that a resource is fine to use, the time of check, then a moment later actually uses it, the time of use. If an attacker swaps the resource in that sliver of time between the two, the program acts on something it never approved. Because the attacker races the legitimate process, these are also called race conditions and, more broadly, state attacks.
What makes backdoors so dangerous?
A backdoor is an undocumented way into a system that skips the normal access checks. Developers sometimes add them during building and debugging and forget to remove them, or leave them deliberately, and malicious code plants its own for easy return access. The danger is precisely that nobody documented it, so it sits outside your controls, unseen and unmonitored, letting anyone who knows the secret walk straight in.
How do attackers climb from user to administrator?
Once they gain any foothold, attackers usually want more power, and that leap is called a privilege escalation attack. A common tool is the rootkit, freely available online and built to exploit known operating system flaws. The attacker often starts with an ordinary user account grabbed through a stolen password or social engineering, then runs a rootkit to reach root or administrator level. Keeping current with security patches blocks most of these.
What new risks arrive when applications rely on AI?
As software leans on artificial intelligence, whole new attack classes appear, catalogued in the machine learning security top ten. Attackers can hijack a model, feed it subtly altered adversarial input, poison the training data, invert a model to extract sensitive data, steal it by querying it enough to rebuild a copy, or strike the AI supply chain. Defenses are familiar in spirit: strict input validation, adversarial training, anomaly detection, watching for model drift, and fencing in what the model can learn.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 21.3 - Application Attacks.