Security Glossary
Every security term you need to know — clear definitions with real-world context.
A
Access Control
Security mechanisms that regulate who or what can view, use, or modify resources in a system.
Account Takeover
An attack where a malicious actor gains unauthorized access to a legitimate user's account.
AES (Advanced Encryption Standard)
A symmetric encryption algorithm widely used to protect sensitive data at rest and in transit.
Allowlist
A security mechanism that permits only explicitly approved entities while blocking everything else.
API Key
A unique identifier used to authenticate requests to an API and track usage.
API Security
The practice of protecting application programming interfaces from threats and vulnerabilities.
APT (Advanced Persistent Threat)
A prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access to a network.
Attack Surface
The total number of points where an unauthorized user can attempt to enter or extract data from a system.
Attack Vector
A specific method or pathway an attacker uses to gain unauthorized access to a system.
Audit Trail
A chronological record of system activities that provides evidence of who did what and when.
Authentication
The process of verifying the identity of a user, device, or system before granting access.
Authorization
The process of determining what actions or resources an authenticated user is permitted to access.
B
Backdoor
A hidden method of bypassing normal authentication to gain unauthorized access to a system.
bcrypt
A password hashing function designed to be computationally expensive, making brute-force attacks impractical.
Bearer Token
An access token that grants the holder (bearer) access to protected resources without additional proof of identity.
Blocklist
A security mechanism that denies access to explicitly prohibited entities while allowing everything else.
Bot
An automated program that performs tasks over the internet, which can be used for both legitimate and malicious purposes.
Brute Force
An attack method that systematically tries all possible combinations to guess passwords, keys, or other secrets.
Buffer Overflow
A vulnerability that occurs when a program writes data beyond the boundaries of allocated memory.
Bug Bounty
A program where organizations pay security researchers for responsibly disclosing vulnerabilities in their systems.
Business Logic
The rules and workflows that govern how an application processes data and handles transactions.
Bypass
A technique that circumvents or evades a security control to gain unauthorized access or perform restricted actions.
C
Cache Poisoning
An attack that manipulates a caching mechanism to serve malicious content to users.
CAPTCHA
A challenge-response test used to determine whether the user is human and prevent automated abuse.
Certificate Pinning
A security technique that associates a host with its expected cryptographic certificate to prevent impersonation.
CIA Triad
The three core principles of information security: confidentiality, integrity, and availability.
Cipher
An algorithm used to encrypt and decrypt data, transforming readable text into an unreadable format and back.
Clickjacking
An attack that tricks users into clicking on hidden elements by overlaying an invisible page on top of a visible one.
Cloud Security
The set of policies, controls, and technologies used to protect data, applications, and infrastructure in cloud environments.
Command Injection
A vulnerability that allows an attacker to execute arbitrary operating system commands on the host server.
Content Security Policy
An HTTP header that controls which resources a browser is allowed to load for a given page, mitigating XSS and data injection.
Cookie
A small piece of data stored in the browser by a website, commonly used for session management and user tracking.
CORS (Cross-Origin Resource Sharing)
A browser mechanism that controls which external domains can access resources on a web server.
Credential Stuffing
An attack that uses stolen username-password pairs from data breaches to gain unauthorized access to other accounts.
Cross-Site Request Forgery (CSRF)
An attack that tricks a user's browser into making unintended requests to a site where the user is authenticated.
Cross-Site Scripting (XSS)
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Cryptography
The science of securing information by transforming it into an unreadable format using mathematical algorithms.
CSP
An abbreviation for Content Security Policy, an HTTP header that restricts which resources a browser can load.
CVE (Common Vulnerabilities and Exposures)
A standardized identifier assigned to publicly known cybersecurity vulnerabilities.
CVSS (Common Vulnerability Scoring System)
A standardized framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0.
CWE (Common Weakness Enumeration)
A standardized catalog of software and hardware weakness types that can lead to security vulnerabilities.
D
Data Breach
An incident where sensitive, protected, or confidential data is accessed or disclosed without authorization.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system with traffic from multiple sources, making it unavailable to legitimate users.
Decryption
The process of converting encrypted data back into its original readable form using a key.
Defense in Depth
A security strategy that layers multiple defensive mechanisms so that if one fails, others continue to provide protection.
Denial of Service (DoS)
An attack that disrupts a system's availability by overwhelming it with requests or exploiting a flaw that causes a crash.
Deserialization
The process of converting serialized data back into objects, which can be exploited if the input is untrusted.
Directory Traversal
A vulnerability that allows attackers to access files outside the intended directory by manipulating file path inputs.
DNS Spoofing
An attack that corrupts DNS resolution to redirect users from legitimate websites to malicious ones.
E
Encryption
The process of converting readable data into an unreadable format to protect it from unauthorized access.
Endpoint Security
The practice of securing individual devices and API endpoints that connect to a network or application.
Enumeration
The process of systematically extracting information about a target system, such as usernames, services, or network shares.
Escalation
The process of gaining higher-level privileges or broader access than originally authorized within a system.
Exfiltration
The unauthorized transfer of data from a system to an external destination controlled by an attacker.
EXIF Data
Metadata embedded in image files that can reveal sensitive information such as GPS coordinates, device details, and timestamps.
Exploit
A piece of code, technique, or sequence of actions that takes advantage of a vulnerability to achieve an unintended outcome.
Exposure
A condition where sensitive data, functionality, or system details are accessible to unauthorized parties.
F
Fingerprinting
The process of identifying the specific technologies, versions, and configurations used by a target system.
Firewall
A network security device or software that monitors and controls incoming and outgoing traffic based on predefined rules.
Forced Browsing
An attack technique where users directly access URLs or resources that are not linked in the application but exist on the server.
Framework
A pre-built software structure that provides foundational components for developing applications, with its own security characteristics.
Full Disclosure
The practice of publicly releasing complete details about a security vulnerability, including exploitation methods.
Fuzzing
An automated testing technique that sends unexpected, random, or malformed data to an application to discover bugs and vulnerabilities.
G
GDPR
The European Union's General Data Protection Regulation, establishing strict rules for how organizations collect, process, and store personal data.
GraphQL Security
The practice of securing GraphQL APIs against vulnerabilities unique to their query-based architecture.
gRPC Security
The practice of securing gRPC services against vulnerabilities related to their binary protocol and service-oriented architecture.
H
Hashing
A one-way mathematical function that converts input data into a fixed-length string, used for password storage and data integrity verification.
HMAC
Hash-based Message Authentication Code, a mechanism that verifies both the integrity and authenticity of a message using a secret key.
Honeypot
A deliberately vulnerable or enticing system designed to attract and detect attackers, providing early warning and intelligence.
Host Header
An HTTP request header that specifies the target domain, frequently exploited when servers trust its value without validation.
HSTS
HTTP Strict Transport Security, a security header that forces browsers to use HTTPS connections exclusively for a domain.
HTTP Headers
Metadata fields in HTTP requests and responses that control security policies, caching behavior, and communication parameters.
HTTPS
The secure version of HTTP that encrypts communication between browsers and servers using TLS.
I
IDOR
Insecure Direct Object Reference, a vulnerability where an application exposes internal object identifiers without proper authorization checks.
Incident Response
The structured process an organization follows to detect, contain, eradicate, and recover from security breaches.
Information Disclosure
A vulnerability where an application unintentionally reveals sensitive data such as internal paths, credentials, or system details.
Injection
A class of vulnerabilities where untrusted data is sent to an interpreter as part of a command or query, enabling unintended execution.
Input Validation
The process of verifying that user-supplied data meets expected formats and constraints before the application processes it.
Insecure Design
A category of vulnerabilities rooted in flawed architectural decisions that cannot be fixed by correct implementation alone.
Integrity
The assurance that data has not been altered, tampered with, or corrupted, whether in storage or during transmission.
Intrusion Detection
A security mechanism that monitors network traffic or system activity to identify and alert on suspicious or malicious behavior.
IP Spoofing
A technique where an attacker falsifies the source IP address in network packets to impersonate another system or bypass access controls.
Isolation
A security principle that separates systems, processes, or data to limit the impact of a compromise and prevent lateral movement.
J
Jailbreak
The process of bypassing security restrictions imposed by a device's operating system or firmware to gain elevated access.
JSON Hijacking
An attack that intercepts JSON data returned by a web application by exploiting how browsers handle script responses.
JSON Web Token (JWT)
A compact, URL-safe token format used to securely transmit claims between parties.
K
Kerberos
A network authentication protocol that uses tickets to allow nodes to prove their identity securely over untrusted networks.
Key Management
The practices and procedures for generating, storing, distributing, rotating, and revoking cryptographic keys.
Keylogger
Software or hardware that records keystrokes to capture sensitive information such as passwords and credit card numbers.
L
LDAP Injection
An injection attack that manipulates LDAP queries by inserting malicious input into search filters.
Least Privilege
A security principle that grants users and systems only the minimum permissions needed to perform their functions.
Log Injection
An attack that inserts malicious data into application logs by manipulating user-controlled input that gets logged.
Logic Flaw
A vulnerability arising from flawed application logic rather than technical implementation errors like injection or memory corruption.
M
Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems.
Man-in-the-Middle (MitM)
An attack where an adversary secretly intercepts and potentially alters communication between two parties who believe they are communicating directly.
Mass Assignment
A vulnerability where an application automatically binds user-supplied data to internal object properties without filtering, allowing attackers to modify unintended fields.
MIME Sniffing
A browser behavior that determines a resource's content type by inspecting its contents rather than trusting the server-declared Content-Type header.
MitM (Man-in-the-Middle)
An abbreviated term for man-in-the-middle attacks, where an attacker intercepts communication between two parties.
Multi-Factor Authentication
An authentication approach combining two or more independent credentials to verify a user's identity.
Multi-Factor Authentication (MFA)
A security mechanism that requires users to provide two or more independent verification factors to prove their identity.
Multi-Tenancy
A software architecture where a single application instance serves multiple independent customers (tenants) while keeping their data isolated.
Mutation XSS (mXSS)
A cross-site scripting variant that exploits how browsers mutate HTML during parsing and serialization to bypass sanitization.
Security Misconfiguration
A vulnerability category where insecure default settings, incomplete configurations, or unnecessary features leave systems exposed to attack.
N
Network Security
The practice of protecting network infrastructure and data in transit from unauthorized access, misuse, and attacks.
Nonce
A unique, single-use value used in cryptographic protocols and security mechanisms to prevent replay attacks and ensure freshness.
NoSQL Injection
An injection attack targeting NoSQL databases by manipulating queries through unsanitized user input.
Null Byte Injection
An attack that uses null byte characters to truncate strings and bypass security filters in applications that handle strings inconsistently.
O
Buffer Overflow
A vulnerability where a program writes data beyond the boundaries of allocated memory, potentially enabling code execution or system crashes.
OAuth
An authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials.
Open Redirect
A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables applications to verify user identity and obtain basic profile information.
Origin
A combination of scheme, hostname, and port that defines the security boundary for web content under the same-origin policy.
Output Encoding
The practice of converting special characters in user-supplied data into safe representations before rendering them in a specific output context.
OWASP
The Open Worldwide Application Security Project, a nonprofit foundation that produces widely adopted standards, guides, and resources for application security.
P
Parameter Pollution
An attack that manipulates how applications handle duplicate HTTP parameters to bypass security controls or alter application behavior.
Password Hashing
The process of transforming a plaintext password into a fixed-length, irreversible string using a cryptographic function.
Password Reset
A mechanism that allows users to regain access to their account by verifying their identity and setting a new password.
Patch Management
The systematic process of identifying, acquiring, testing, and deploying software updates to fix security vulnerabilities.
Path Traversal
A vulnerability that allows attackers to access files and directories outside the intended scope by manipulating file path inputs.
Payload
The component of an attack that performs the malicious action, such as executing code, extracting data, or altering system behavior.
Penetration Testing
A structured security assessment where testers simulate real-world attacks to identify exploitable vulnerabilities in systems and applications.
Permissions
Controls that define what actions a user, process, or system component is authorized to perform on a given resource.
Phishing
A social engineering attack that tricks individuals into revealing sensitive information by impersonating a trusted entity.
Privilege Escalation
An attack where a user gains higher access rights than they are authorized to have, either vertically or horizontally.
Prototype Pollution
A JavaScript vulnerability where an attacker modifies the prototype of base objects, affecting all instances and potentially leading to code execution.
Proxy
An intermediary server that sits between a client and a destination server, forwarding requests and responses while enabling inspection, filtering, or modification of traffic.
R
Race Condition
A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.
Ransomware
Malicious software that encrypts a victim's data and demands payment in exchange for the decryption key.
Rate Limiting
A defensive mechanism that restricts the number of requests a user or client can make within a specified time period.
RBAC (Role-Based Access Control)
An access control model that assigns permissions to roles rather than individual users, simplifying authorization management.
RCE (Remote Code Execution)
A critical vulnerability that allows an attacker to execute arbitrary code on a target system remotely.
Reconnaissance
The initial phase of a security assessment where information about the target is systematically gathered to identify attack surfaces and potential vulnerabilities.
Referrer Policy
An HTTP header that controls how much referrer information is included when navigating from one page to another.
Reflected XSS
A cross-site scripting variant where malicious script is reflected off the server in the immediate response, typically via a URL parameter.
Remediation
The process of addressing and fixing security vulnerabilities identified during an assessment or incident.
Responsible Disclosure
A vulnerability disclosure practice where a researcher privately reports security flaws to the affected organization before any public disclosure.
S
Same-Origin Policy
A browser security mechanism that restricts how documents and scripts from one origin can interact with resources from another origin.
SAML (Security Assertion Markup Language)
An XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
Sandbox
An isolated environment that restricts the actions and resources available to a running process, limiting the impact of exploitation.
SAST (Static Application Security Testing)
A testing methodology that analyzes application source code for security vulnerabilities without executing the program.
Secret Management
The practice of securely storing, distributing, and rotating sensitive credentials like API keys, passwords, and encryption keys.
Security Assessment
A structured evaluation of an organization's systems, applications, or infrastructure to identify security weaknesses and risks.
Security Headers
HTTP response headers that instruct browsers to enable specific security features, hardening the application against common attacks.
Sensitive Data
Any information that requires protection due to the risk of harm from its unauthorized disclosure, modification, or loss.
Server-Side Request Forgery
A vulnerability where an attacker can make the server send requests to unintended destinations, potentially accessing internal resources.
Session Fixation
An attack where an adversary sets a user's session identifier to a known value, then hijacks the session after the user authenticates.
Session Hijacking
An attack where an adversary steals or predicts a valid session token to impersonate an authenticated user.
Session Management
The process of securely creating, maintaining, and terminating user sessions that track authenticated state across multiple requests.
Shell Injection
A vulnerability where an attacker injects operating system commands through an application that passes user input to a system shell.
Social Engineering
Manipulation techniques that exploit human psychology to trick people into divulging information or performing actions that compromise security.
SQL Injection
A vulnerability where attacker-controlled input is inserted into SQL queries, allowing unauthorized database access and manipulation.
SSL/TLS
Cryptographic protocols that provide secure, encrypted communication between clients and servers over a network.
SSRF
An abbreviation for Server-Side Request Forgery, a vulnerability where an attacker induces the server to make requests to unintended internal or external destinations.
Stored XSS
A cross-site scripting variant where the malicious script is permanently stored on the target server and executes for every user who views the affected content.
Subdomain Takeover
A vulnerability where an attacker claims control of a subdomain that points to an unclaimed or decommissioned external service.
Supply Chain Attack
An attack that targets an organization indirectly by compromising a trusted third-party component, library, or service that the organization depends on.
T
Template Injection
A vulnerability where user input is embedded into a template engine, allowing attackers to execute arbitrary code on the server or client.
Threat Modeling
A structured process for identifying, analyzing, and prioritizing potential security threats to an application or system.
TLS (Transport Layer Security)
A cryptographic protocol that provides secure communication over a network by encrypting data in transit between two parties.
Token
A digitally generated string used to authenticate a user, authorize access, or maintain session state without repeatedly transmitting credentials.
TOTP (Time-Based One-Time Password)
An authentication mechanism that generates short-lived numeric codes based on a shared secret and the current time.
Trust Boundary
A conceptual line in a system where the level of trust changes, requiring validation and security controls at the crossing point.
Two-Factor Authentication (2FA)
A security mechanism that requires users to provide two distinct forms of verification before gaining access to an account or system.
Type Confusion
A vulnerability that occurs when a program processes a data object as a different type than intended, leading to unexpected behavior or code execution.
U
Unicode Normalization
The process of converting Unicode text into a canonical form, which attackers can exploit to bypass security filters and input validation.
URL Encoding
A method of representing special characters in URLs using percent-sign notation, often exploited to bypass security filters.
User Enumeration
A technique where an attacker determines valid usernames or email addresses by observing differences in an application's responses.
V
VPN (Virtual Private Network)
A technology that creates an encrypted tunnel between two points on a network, protecting data in transit and masking the user's network identity.
Vulnerability
A weakness in a system, application, or process that can be exploited by a threat actor to perform unauthorized actions.
Vulnerability Assessment
A systematic process of identifying, quantifying, and prioritizing security weaknesses in a system or application.
Vulnerability Disclosure
The process of reporting a discovered security vulnerability to the affected vendor or organization so it can be fixed before public exposure.
Vulnerability Scanner
An automated security testing application that probes systems and applications for known vulnerabilities, misconfigurations, and weaknesses.
W
WAF (Web Application Firewall)
A security control that filters, monitors, and blocks malicious HTTP traffic between users and a web application.
Web Application Firewall
A dedicated security system that protects web applications by analyzing HTTP traffic and enforcing security policies against known attack patterns.
WebSocket Security
The set of security considerations and protections specific to WebSocket connections, which maintain persistent bidirectional communication channels.
Whitelist (Allowlist)
A security approach that permits only explicitly approved items while denying everything else by default.
X
X-Frame-Options
An HTTP response header that controls whether a browser allows a page to be embedded in frames, protecting against clickjacking attacks.
XML External Entity (XXE)
A vulnerability in XML parsers that allows attackers to include external entities, leading to file disclosure, SSRF, or denial of service.
XSS (Cross-Site Scripting)
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, compromising their browser sessions.
Z
Zero Trust
A security architecture that eliminates implicit trust by requiring continuous verification of every user, device, and connection regardless of network location.
Zero-Day
A previously unknown vulnerability that is exploited before the vendor has released a patch or is even aware of its existence.
Zone Transfer
A DNS mechanism that replicates zone data between name servers, which if misconfigured can leak an organization's complete DNS records to attackers.
Want to go deeper?
Our knowledge base has in-depth articles on major vulnerability classes with real-world examples and prevention guidance.