5.1 Application and Data Vulnerabilities and Attacks

Unit 5 — Securing Applications and Data | Topic 5.1

Application and Data Vulnerabilities and Attacks

SQL injection, cross-site scripting, buffer overflow, directory traversal, and AP risk assessment framework.

Lesson 1 of 6 ~45 min LO 5.1.A – 5.1.C Skills: Analyze Risk
★ AP Exam Focus — Topic 5.1

• Identify all four application attack types by mechanism: SQL injection (unvalidated input + SQL commands), XSS Type I/II (reflected vs. stored), buffer overflow (input exceeds fixed buffer), directory traversal (../ path manipulation)

• Distinguish Type I (Reflected) XSS from Type II (Stored) XSS by who is affected and how the script is delivered

• Apply the High/Moderate/Low risk framework using data sensitivity (regulated vs. sensitive vs. less sensitive) and exploit likelihood

• Identify which CIA property each attack compromises: SQL injection targets confidentiality and integrity; buffer overflow targets availability; XSS targets confidentiality; directory traversal targets confidentiality

• Spot the flaw in code: unvalidated input concatenated into SQL strings, unsanitized file path parameters, no buffer size enforcement

College Board Essential Knowledge Coverage

Topic 5.1 — What Is Testable

CED Ref Essential Knowledge Covered In
5.1.A.1 An adversary can read any unencrypted file if they have device or drive access Section 1 — File Vulnerabilities
5.1.A.2 If regular users have admin privileges and their account is compromised, the adversary gains elevated system access Section 1 — Privilege Vulnerabilities
5.1.A.3 Weakly configured access controls let adversaries read, modify, or destroy files or disrupt applications Section 1 — Access Control Weaknesses
5.1.B.1 Applications are executable programs; web apps run on servers and are accessed via network Section 2 — Application Fundamentals
5.1.B.2 Data validation verifies user input meets expected criteria; apps failing validation are vulnerable to injection attacks Section 2 — Data Validation
5.1.B.3–4 SQL injection places SQL commands in input fields; can breach confidentiality (extra data returned) or integrity (data modified/deleted) Section 2 — SQL Injection
5.1.B.5–6 XSS injects malicious JavaScript into pages; Type I = reflected (link-delivered, one user); Type II = stored (persists on server, all visitors) Section 2 — XSS
5.1.B.7–8 Buffer overflow feeds more data into a fixed buffer than it can hold; may crash system or execute code outside security policy Section 2 — Buffer Overflow
5.1.B.9–10 Directory traversal modifies URLs with ../ sequences to access server files outside the intended directory Section 2 — Directory Traversal
5.1.C.1 Data security risks involve CIA: confidentiality (unauthorized access), integrity (manipulation), availability (destruction/encryption) Section 3 — Risk Assessment
5.1.C.2 High risk: highly sensitive/regulated data + likely exploit Section 3 — Risk Levels
5.1.C.3 Moderate risk: sensitive data + insufficient encryption or access controls Section 3 — Risk Levels
5.1.C.4 Low risk: less sensitive data + short keys or insufficient access controls Section 3 — Risk Levels
♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A web developer builds a login form where the username is directly inserted into a SQL query string without any validation. A user enters admin' -- as their username. Predict what the SQL query becomes and what security problem this creates.
  2. A school forum lets students post comments. One student posts: . The comment is stored in the database. Who is affected when this page loads?
  3. A web server stores product images in /var/www/images/. The image handler appends the user-supplied filename parameter directly to that path. An adversary requests the file ../../../etc/passwd. What file does the server attempt to open, and what attack type is this?

Q1: The query becomes SELECT * FROM users WHERE user='admin' --AND pass='...'. The double-dash comments out the password check, granting access without a valid password. This is SQL injection via comment-bypass.

Q2: Every student who loads the comment page is affected. This is Stored (Type II) XSS. The script is saved to the database and executes in every visitor's browser, sending their cookies to the attacker's server.

Q3: The server opens /var/www/images/../../../etc/passwd which resolves to /etc/passwd — the system user list. This is a directory traversal attack exploiting unsanitized path concatenation.

1 5.1.1 — Learning Objectives

  • Identify the three core file/system vulnerabilities adversaries exploit before specific application attacks are needed (5.1.A)
  • Explain how SQL injection, XSS (Type I and II), buffer overflow, and directory traversal each exploit application vulnerabilities, including the specific flaw each requires (5.1.B)
  • Assess risks from application and data vulnerabilities using the High/Moderate/Low framework, identifying which CIA property is compromised in each case (5.1.C)
Key Terms
Data validation
Verifying that user input meets expected criteria (type, length, format) before the application processes it.
SQL injection
Attack that inserts SQL commands into an unvalidated input field to alter or expose database contents.
Cross-site scripting (XSS)
Attack injecting malicious JavaScript into a website that victims' browsers execute.
Type I (Reflected) XSS
Script delivered in a malicious link; executes only for the user who clicks it.
Type II (Stored) XSS
Script stored on the server and served to every visitor of the infected page.
Buffer overflow
Attack that supplies more data than a fixed memory buffer can hold, overwriting adjacent memory to crash the system or execute arbitrary code.
Directory traversal
Attack using ../ sequences in URL parameters to navigate outside the intended server directory.
Keyspace
The total set of possible encryption keys for an algorithm; relevant to risk classification when evaluating encryption strength.

2 5.1.2 — File and System Vulnerabilities (5.1.A)

Before a specific attack technique even enters the picture, three foundational weaknesses make systems easy targets. The AP exam tests these under 5.1.A as the preconditions for successful exploitation.

Core File and System Vulnerabilities
  • Unencrypted files (5.1.A.1): Any adversary who gains physical access to the device or drive can read every file immediately — no decryption step needed. Encryption converts data to ciphertext so theft alone is not sufficient to expose information.
  • Over-privileged accounts (5.1.A.2): Computers have standard users and administrative users. If a standard user is granted admin rights and their account is compromised, the adversary inherits full system control — access to all files, the ability to disable security software, and control over system settings.
  • Weak access controls (5.1.A.3): Over-permissive permission settings (e.g., rwxrwxrwx on a sensitive file) let adversaries read, edit, or delete files they were never authorized to access. Least privilege is the antidote: every entity receives exactly the access their function requires.
AP Exam Connection

5.1.A vulnerabilities appear in the free-response question as configuration findings. When a source shows an unencrypted drive or a user with unnecessary admin rights, those are the vulnerabilities the question is asking you to identify. Always connect them to which CIA property is at risk: unencrypted = confidentiality; over-privileged = confidentiality + integrity + availability depending on what the adversary does.

3 5.1.3 — Four Application Attack Types (5.1.B)

How Applications Become Attack Surfaces

Applications are executable programs that process user input. Web applications run on servers and are accessed through browsers via HTTP. The shared vulnerability across all four attack types is the same: insufficient validation or sanitization of user-supplied input. Developers who trust user input give adversaries the ability to change the behavior of the application itself.

SQL Injection (5.1.B.3–4)

Databases use SQL to retrieve and modify records. Web applications often build SQL queries by concatenating user input directly into the query string. Without validation, an adversary can inject SQL commands that alter the query logic.

SQL Injection Mechanisms

Authentication bypass: The query SELECT * FROM users WHERE user='[input]' AND pass='[input]' can be attacked with admin' -- as username. The -- comments out the password check: WHERE user='admin' --AND pass=''. The adversary authenticates as admin with no valid password.

Data extraction: Input like ' OR '1'='1 makes the WHERE condition always true, returning every row in the table — exposing all user records.

Data destruction: A semicolon terminates the first statement; ; DROP TABLE users; -- executes a second destructive statement.

CIA Impact: SQL injection breaches confidentiality (extra data returned) and integrity (data modified or deleted). If data is destroyed, availability is also compromised.

Cross-Site Scripting — XSS (5.1.B.5–6)

Websites use JavaScript to create dynamic content. Because JavaScript runs in the user's browser, it can access sensitive data stored there — session tokens, usernames, cryptographic keys, cookies.

Type How It's Delivered Who Is Affected Persistence
Type I — Reflected Malicious script embedded in a link; executes when victim clicks Only the user who clicks the link Not stored; one-time execution
Type II — Stored Script inserted into a comment field, forum post, or visitor log and saved to the database Every user who loads the infected page Persists until removed from the server

CIA Impact: XSS targets confidentiality (stealing session tokens, credentials, or sensitive data the browser holds).

Buffer Overflow (5.1.B.7–8)

When an application receives user input, it writes that data to a buffer — a fixed-size region of memory. If the input exceeds the buffer's allocated size, the excess data spills into adjacent memory locations and overwrites them.

An attacker crafts the overflow payload intentionally: the overwritten memory contains a return address or function pointer that the attacker redirects to execute arbitrary code. This bypasses the program's security policy and allows the adversary to run any instruction on the machine.

Buffer Overflow Pattern

A password field accepts input with no server-side length limit and writes it to a 64-byte buffer. An adversary sends 512 bytes. The 448 excess bytes overwrite adjacent memory, including the stack return address. The adversary redirects execution to shellcode embedded in their payload. The application now executes the adversary's code with the application's privileges.

CIA Impact: Buffer overflow can compromise availability (system crash), integrity (memory modification), and confidentiality (code execution with access to protected data).

Directory Traversal (5.1.B.9–10)

Web server files live in directories. When a user requests a file through an application, the server builds a file path using the user-supplied parameter. Without sanitization, an adversary can use ../ sequences to navigate up the directory tree and access files completely outside the intended directory.

Directory Traversal — CED Illustrative Example

A web server stores images at /var/www/images/. The request handler: path = "/var/www/images/" + request.params["file"].

Normal request: GET /img?file=photo.jpg → opens /var/www/images/photo.jpg

Attack request: GET /img?file=../../../etc/passwd → each ../ moves one level up; three traversals from /var/www/images/ reach the root; the server opens /etc/passwd, returning all authorized usernames.

CIA Impact: Directory traversal targets confidentiality (accessing sensitive files the adversary was never authorized to read).

4 5.1.4 — Risk Assessment Framework (5.1.C)

Risk is a function of two factors: how sensitive the data is and how likely it is to be exploited. The CIA triad frames which property is at risk in each scenario.

CIA Triad and Application Vulnerabilities
  • Confidentiality: Unauthorized persons can access sensitive data (SQL injection returning extra rows; directory traversal exposing system files; XSS stealing tokens).
  • Integrity: Data can be manipulated or altered from its intended state (SQL injection running UPDATE or DELETE).
  • Availability: Data can be destroyed or encrypted to prevent others from accessing it (ransomware; destructive SQL injection).
Risk Level Data Sensitivity Exploit Likelihood CED Example
High Legally regulated or highly sensitive (PHI, PII, classified) Highly likely (no encryption, no controls) Defense contractor stores jet engine specs on an unencrypted drive
Moderate Sensitive but not strongly protected Possible (weak encryption or loose controls) Company stores customer PII encrypted with a short key
Low Less sensitive information Possible (some weak controls) CEO stores private memos on an unencrypted, uncontrolled company share drive
AP Exam Risk Assessment Checklist

When you see a risk question: (1) Identify the data type — is it regulated by law (PHI/PII/PCI = higher baseline)? (2) What protection exists — encryption? Access controls? (3) How likely is a breach given the current controls? (4) Which CIA property is at risk? Combine sensitivity + likelihood to determine High/Moderate/Low.

Check for Understanding — Topic 5.1

1. A developer writes the following login query: SELECT * FROM accounts WHERE user='[input]' AND pass='[input]'. An adversary enters admin' -- as the username. What does the -- accomplish in this attack?

2. A code review reveals: $img = "/var/www/img/" . $_GET["file"]; echo file_get_contents($img);. Which attack type does this enable, and what specific flaw makes it possible?

3. An attacker posts the following in a product review field of an e-commerce site: . The site stores reviews in its database without sanitization and displays them on the product page. What type of attack is this, and why is it MORE dangerous than the reflected version of the same attack?

4. Which of the following scenarios presents a HIGH risk according to the 5.1.C framework?

5. A penetration tester reviews server logs and finds: GET /profile?id=1 UNION SELECT username,password,NULL FROM admin_users --. Which attack type is this, and which CIA property is the primary target?

6. Which of the following inputs, if entered in a web form, is MOST indicative of an attempted buffer overflow attack?

7. An adversary compromises the account of a standard employee who was given local admin rights on their workstation "for convenience." The adversary reads every file on the machine and installs a keylogger. Which 5.1.A vulnerability enabled this outcome?

8. Consider the following three vulnerability scenarios:
Scenario I: A hospital stores patient diagnoses in a database with no input validation; a web form queries it directly using user input.
Scenario II: An online forum displays user comments without sanitization in the browser.
Scenario III: A file download endpoint passes the user-supplied filename directly to a file system path without validation.
Which attack type is MOST relevant to each scenario, in order?

9. A security analyst finds that two different users posting identical comments on a website produce different ciphertext entries in the database, but multiple users whose browsers later load those comments all have their session cookies sent to the same external server. Which of the following BEST explains this?

10. A software company stores its source code on a server. The code is not encrypted, but access is restricted to members of the "Dev" group using RBAC, and the server has no external network access. A disgruntled developer in the Dev group copies the entire codebase to a personal USB drive. How should this risk BEST be classified?

Score:

⚠ Common AP Exam Mistakes — Topic 5.1

Common Mistake Why It's Wrong Correct Thinking
Confusing XSS with SQL injection Both involve injecting input, but they target different systems. SQL injection targets the database; XSS targets the visitor's browser. SQL injection uses SQL syntax; XSS uses HTML/JavaScript. XSS = browser execution. SQL injection = database manipulation. Channel and target are different.
Treating all XSS as the same Type I (Reflected) only affects the user who clicks a malicious link. Type II (Stored) is saved to the server and affects every visitor. The exam tests this distinction directly. Stored XSS = server-side persistence = wider blast radius. Always identify whether the script is stored or reflected.
Classifying buffer overflow as a CIA availability attack only Buffer overflow can achieve code execution (confidentiality + integrity), crash the system (availability), or all three, depending on attacker intent. It is not exclusively an availability attack. Buffer overflow enables code execution outside the program's security policy. Classify CIA impact based on what the attacker actually does with that execution.
Missing that directory traversal requires no authentication bypass Directory traversal does not need to break authentication. It exploits the file system path directly through an unsanitized URL parameter. The adversary never logs in. ../../../etc/passwd in a URL parameter navigates the server's file system. No login bypass needed — just an unsanitized path concatenation.
Misapplying risk levels Students assign "High" to any vulnerability with no controls, regardless of data sensitivity. Risk is sensitivity x likelihood. Low-sensitivity data with no controls is still Low risk, not High. Match sensitivity to the data type first (regulated = higher baseline), then assess likelihood from the existing controls. Both factors must be considered.

8 5.1.7 — Key Terms & FAQ

Frequently Asked Questions

Q: What is the difference between data validation and input sanitization?
A: Validation checks whether input meets expected criteria (e.g., is it a number when a number is required?). Sanitization removes or escapes potentially dangerous characters from input (e.g., removing single quotes from a database input). Both are defenses against injection attacks; validation is a check, sanitization is a transformation.

Q: Can a single attack be both a buffer overflow AND a SQL injection?
A: In the AP Cybersecurity framework, these are separate attack categories. A real-world attack might chain multiple techniques, but the AP exam tests them as distinct mechanisms. Focus on which mechanism is the root cause of the vulnerability.

Q: Why is Stored XSS considered more dangerous than Reflected XSS?
A: Reflected XSS requires the victim to click a specific malicious link — they can potentially avoid it. Stored XSS requires no action beyond visiting the affected page. A single stored script can execute against thousands of users automatically.

Q: For risk assessment, does "High" always mean the data is regulated?
A: No, but regulated data (PHI/PII/PCI) is a strong indicator of high sensitivity, which pushes risk toward High when controls are weak. Non-regulated but highly sensitive data (military specifications, classified information) can also be High risk. The key is sensitivity + likelihood together.

📋 Exit Ticket — Topic 5.1 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name all four application attack types covered in 5.1.B. For each, write one sentence describing the specific application flaw it requires to succeed. (AP Skill: Identify Vulnerabilities)
  2. A developer writes: query = "SELECT * FROM products WHERE name='" + search + "'". Identify the vulnerability, describe one attack string an adversary could use, and explain which CIA properties are at risk. (AP Skill: Analyze Risk)
  3. Explain why a Stored XSS attack is harder to defend against at the individual user level than a Reflected XSS attack. Connect your answer to EK 5.1.B.6. (AP Skill: Identify Controls)
  4. A manufacturing company stores production blueprints in an unencrypted folder on a shared network drive. All 200 employees have full read/write access. Using the 5.1.C framework, classify the risk and justify your answer with specific criteria. (AP Skill: Assess Risk)
  5. A server log shows: GET /files?name=../../config/database.yml HTTP/1.1 200. What attack succeeded? What did the attacker access? What server-side flaw enabled it? (AP Skill: Detect Attacks)

Q1: SQL injection (requires unsanitized input in SQL query). XSS (requires unsanitized user input rendered as HTML/JS). Buffer overflow (requires no server-side input length enforcement). Directory traversal (requires unsanitized file path parameter).

Q2: SQL injection vulnerability. Attack string: ' OR '1'='1'; -- returns all products. Confidentiality at risk (all records exposed); integrity at risk if UPDATE/DELETE is appended.

Q3: Reflected XSS requires the victim to click a specific malicious URL — they can avoid clicking suspicious links. Stored XSS persists on the server (EK 5.1.B.6) and executes automatically for every visitor who loads the page — the user has no opportunity to avoid it because no click is required.

Q4: High risk. Blueprints are sensitive intellectual property (high sensitivity). Unencrypted storage + full read/write access for all 200 employees = maximum likelihood of exposure. High sensitivity + high likelihood = High risk per 5.1.C.2.

Q5: Directory traversal. The attacker accessed config/database.yml (likely containing database credentials). The flaw: the name parameter was appended to a file path without sanitization, allowing ../ traversals to escape the intended directory. HTTP 200 confirms the attack succeeded.

Struggling with AP Cybersecurity application attacks?

Tanner Crow is an AP CS teacher with 11+ years of experience and a 5.0 Wyzant rating. Book a session and nail the exam.

Book a Session →

Tanner Crow

AP Computer Science Teacher — Blue Valley North High School, Overland Park KS

11+ years teaching AP CS courses. Built every lesson on this site from the College Board CED. Rated 5.0 on Wyzant with 2,067+ tutoring hours.

11+ Years Teaching AP CS 2,067+ Tutoring Hours 499+ Five-Star Reviews

Continue Learning

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]