Vulnerability (computing) - Classification and Component Vulnerabilities

Classification of Vulnerabilities Introduction Vulnerabilities are weaknesses in software or systems that attackers can exploit to compromise security. To understand and defend against vulnerabilities effectively, security professionals use multiple classification systems. These systems organize vulnerabilities by their root causes (what went wrong in the development process), by bug types (the technical nature of the flaw), and by affected component (where in the system the vulnerability exists). This multi-layered approach helps us identify patterns, understand attack vectors, and implement appropriate defenses. Root Causes of Vulnerabilities The National Vulnerability Database classifies vulnerabilities based on their underlying causes—the fundamental mistakes that created the security weakness. Understanding these root causes is crucial because it helps developers avoid these mistakes during the development lifecycle. Input Validation Failures Input validation failures occur when software doesn't adequately check or sanitize data that users or external systems provide. This is one of the most common vulnerability sources because attackers actively exploit it to inject malicious code. When input validation is insufficient, attackers can craft specially formatted data that bypasses security checks. This leads to three main problems: Buffer overflow: An attacker sends more data than a buffer can hold, overwriting adjacent memory and potentially executing arbitrary code Buffer underflow: Attackers manipulate memory below the intended buffer, causing similar damage Boundary condition exploits: Attackers manipulate edge cases (like minimum or maximum values) that developers failed to anticipate Example: A web form asks for a username but doesn't check the length. An attacker sends a 10,000-character string that overflows the 128-character username buffer, overwriting a nearby password variable. Access Control Failures Access control is the mechanism that determines who can access what resources and what actions they can perform. When access controls are faulty, attackers can bypass these restrictions. Two primary threats emerge from access control failures: Unauthorized access to restricted systems: An attacker accesses data or functionality they shouldn't be able to reach Privilege escalation: An attacker with limited permissions gains higher-level permissions (such as escalating from regular user to administrator) Example: A web application checks if a user is logged in, but doesn't verify which account the user belongs to. An attacker can change a parameter from userid=5 to userid=6 and view another user's private information. Exception Handling Errors Exception handling refers to how software responds to unexpected or erroneous conditions. Poor exception handling creates exploitable vulnerabilities because error messages or states can reveal information to attackers or leave the system in an unsafe state. When exception handling is inadequate, attackers can: Trigger unexpected error conditions that expose sensitive information Leave the system in a compromised state where normal security checks are bypassed Gain unauthorized access by exploiting the way the software recovers (or fails to recover) from errors Example: A database connection fails, but the software doesn't properly close the connection attempt. An attacker repeatedly triggers this condition, eventually exhausting all available connections and denying service to legitimate users. Configuration Errors Configuration errors are security weaknesses that arise from how software and systems are set up after installation. Even well-designed software can be vulnerable if misconfigured. Common configuration mistakes include: Unpatched software: Running software with known vulnerabilities because security updates haven't been applied Overly permissive file system permissions: Allowing too many users or processes to read, write, or execute sensitive files Unnecessary services enabled: Running network services that aren't needed, expanding the attack surface Default credentials unchanged: Leaving default usernames and passwords in place Example: An administrator installs a web server but forgets to disable the default administrative interface, which has a well-known password. An attacker logs in using the default credentials and takes control of the server. Race Conditions Race conditions occur when the outcome of software execution depends on unpredictable timing or external factors, rather than on proper logic. This vulnerability is particularly difficult to detect because it occurs inconsistently. Race conditions typically happen when: Multiple processes access the same resource simultaneously The software assumes events will occur in a specific order, but they don't Timing differences between different systems create unexpected behavior Example: Two users simultaneously withdraw the last $100 from a bank account. Due to a race condition, both transactions proceed without checking the updated balance, and the account ends up overdrawn. Taxonomy of Security Bugs While root cause classification focuses on why vulnerabilities exist, bug taxonomy classifies vulnerabilities by their technical nature. This helps developers recognize flawed code patterns. Memory Safety Issues Memory safety issues are bugs involving improper management of computer memory. These are among the most severe vulnerabilities because they often allow arbitrary code execution. Key memory safety vulnerabilities include: Buffer overflows: Writing data beyond a buffer's allocated space, corrupting adjacent memory Dangling pointers: Using pointers that reference memory that has already been freed, leading to unpredictable behavior Use-after-free: Accessing memory after it has been deallocated Double-free: Attempting to free the same memory block twice <extrainfo> These vulnerabilities are particularly common in languages like C and C++, which give programmers direct memory management responsibility. Modern languages like Python, Java, and C# use automatic memory management (garbage collection), making these bugs far less common. </extrainfo> Race Conditions Race conditions deserve mention in both root cause and taxonomy classifications because they represent both a root cause and a distinct bug pattern. (See the Root Causes section above for detailed explanation.) Faulty API Usage Application programming interfaces (APIs) are sets of rules that define how software components communicate. When programmers use APIs incorrectly, they create vulnerabilities. Common API misuse includes: Calling functions in the wrong order: Many APIs require functions to be called in a specific sequence, and calling them out of order can create security gaps Misunderstanding API assumptions: Using an API without fully understanding what it does or what it guarantees Ignoring error codes: Not checking whether API calls succeeded or failed before using their results Example: A programmer uses a cryptographic API to encrypt data but doesn't check the return code. The encryption actually failed silently, and the data was never encrypted, even though the code appears secure. Vulnerabilities by Component The final major classification system organizes vulnerabilities by which part of a system is affected: the operating system, client-server applications, or web applications. Different components face different threats due to their different architectures and purposes. Operating System Vulnerabilities Operating systems are the foundational layer that all other software runs on top of, making OS vulnerabilities particularly dangerous. A compromised operating system can compromise all software running on it. <extrainfo> Open-source operating systems benefit from community-driven security: anyone can review the code to find bugs, and community members can rapidly develop and distribute patches. However, this openness also means attackers can identify vulnerabilities. The key advantage is that patches become available quickly through community coordination. </extrainfo> Client-Server Application Vulnerabilities Client-server applications consist of a client component (running on the user's device) and a server component (running on a remote computer). This separation creates unique vulnerability opportunities. Unencrypted Data at Rest and in Transit Data can be vulnerable at two points: when it's stored (at rest) and when it's being transmitted (in transit). Without encryption: Data stored on disk can be read by anyone with file system access Data transmitted over a network can be intercepted and read by attackers on the network path Example: A client-server application stores user passwords without encryption. An attacker steals the database file and reads all passwords in plaintext. Process Hijacking Process hijacking occurs when an attacker takes control of an existing computer process (a running program). Instead of starting a new malicious program, the attacker infiltrates an already-running one, making their activity harder to detect. Example: An attacker injects malicious code into a running web browser process. The browser continues to appear normal to the user, but the attacker can now intercept all web traffic, steal cookies, and capture keystrokes. Web Application Vulnerabilities Web applications are leading targets for attacks because they're widely accessible (anyone with a web browser can reach them) and frequently handle sensitive data. The following vulnerabilities are specific to web applications or particularly prevalent in web contexts. Authentication and Authorization Failures Authentication verifies that a user is who they claim to be. Authorization determines what authenticated users are allowed to do. When either fails, attackers can access data and functionality meant only for trusted users. Example: A web application authenticates users correctly but fails to check whether the user is authorized to view a particular resource. An attacker can directly request data belonging to other users by manipulating URLs or API parameters. Business Logic Vulnerabilities Business logic vulnerabilities arise when programmers fail to anticipate unexpected or unusual use cases in application logic. Even if the individual components are implemented securely, unexpected combinations or sequences of operations can create vulnerabilities. Example: An e-commerce application has a "refund" function that correctly deducts money from one account and credits another. However, the programmer didn't anticipate someone requesting a refund for the same order twice. An attacker exploits this to receive two refunds for one purchase. Cross-Site Scripting (XSS) Cross-site scripting allows an attacker to inject and execute malicious JavaScript code in victims' browsers. When input validation is insufficient, attackers can embed malicious scripts in web pages viewed by other users. The attacker's JavaScript runs with the same privileges as the legitimate website, allowing it to: Steal session cookies and authentication tokens Deface the web page Redirect users to malicious sites Capture keystrokes Example: A comment section on a blog doesn't properly validate input. An attacker posts a comment containing <script>alert('hacked')</script>. When other users view the page, the script executes in their browsers. SQL Injection SQL injection manipulates database queries by inserting malicious SQL code into user input fields. Attackers use this to gain unauthorized access to database data, modify data, or even take control of the database server. Example: A login form has a username field. An attacker enters admin' -- as the username. This creates the SQL query: SELECT FROM users WHERE username = 'admin' --', which returns the admin account regardless of the password. Command Injection Command injection occurs when attackers place malicious code in data fields or processes, and the application executes this code as operating system commands. This can allow attackers to execute arbitrary commands on the server. Example: A web application takes a filename from the user and executes delete [filename]. An attacker enters important.txt; rm -rf / as the filename, causing the system to delete critical files. Cross-Site Request Forgery (CSRF) Cross-site request forgery forces a client (a user's browser) to perform unwanted actions on a website where they're already authenticated. The attacker tricks the user into taking an action they didn't intend. Example: An attacker sends a user an email with a link to https://bank.com/transfer?amount=1000&to=attackeraccount. If the user is already logged into their bank, their browser automatically includes authentication cookies with the request, and the transfer happens without the user's knowledge. Server-Side Request Forgery (SSRF) Server-side request forgery exploits the server's privileged position on the network. The attacker tricks the server into making requests to internal resources (like databases or administrative interfaces) that should only be accessible from within the organization. Unlike regular users whose network access is limited, servers often have access to internal, sensitive resources. By exploiting SSRF, attackers can: Access internal APIs and services Scan internal network infrastructure Access cloud metadata services that contain credentials and configuration Example: An attacker tricks a web server into making a request to http://internal-database:5432, accessing a database that should only be reachable from within the corporate network.