What are the typical exploit techniques used by malware that target interfaces?
Five recurring ones: SQL injection, command injection, XSS, buffer overflows, and string overflows — and they're all the same trick, "data crossing a boundary and being treated as code".
What makes this list worth memorising isn't the names but the pattern behind them: each technique smuggles attacker-controlled input across a trust boundary and gets it interpreted as instructions (SQL, shell commands, HTML/JS, or raw memory) instead of inert data. Recognise the pattern and you can defend all five with the same instinct — validate and separate data from code at the boundary:
Technique overview:
| Technique | Target | Attack Vector |
|---|---|---|
| SQL Injection | Database queries | User input in SQL |
| Command Injection | OS commands | User input in shell commands |
| XSS | Web browsers | Malicious scripts in web pages |
| Buffer Overflow | Memory | Input exceeding buffer size |
| String Overflow | String handling | Oversized string input |
Common thread: All exploit improper input validation at interfaces — the attacker's data crosses a trust boundary and gets interpreted as code.
See: OWASP Top 10
Go deeper:
SEI CERT C Coding Standard — rules targeting buffer/string overflows and input handling.