SE Notes
Understanding common software security vulnerabilities and their prevention.
Software vulnerabilities are weaknesses in a system's design, implementation, or configuration that can be exploited by attackers to compromise confidentiality, integrity, or availability. Understanding common vulnerabilities is essential for every software engineer—not just security specialists—because most vulnerabilities are introduced during routine development by programmers unaware of security implications. A single SQL injection vulnerability can expose an entire database of customer records. A single cross-site scripting flaw can compromise every user who visits the affected page. Prevention requires understanding how these vulnerabilities work and how to code defensively against them.
SQL Injection
SQL injection occurs when user-supplied input is incorporated directly into SQL queries without proper sanitization, allowing attackers to manipulate the query's logic. It remains one of the most common and devastating vulnerabilities despite being well-understood for over two decades.
How it works:
# VULNERABLE CODE - never do this
def login(username, password):
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
result = db.execute(query)
return result
# Attacker enters: username = ' OR '1'='1' --
# Resulting query: SELECT * FROM users WHERE username='' OR '1'='1' --' AND password=''
# The -- comments out the password check, '1'='1' is always true
# Attacker gains access without knowing any valid credentialsPrevention: Use parameterized queries (prepared statements) that separate SQL logic from data:
# SAFE CODE - parameterized query
def login(username, password):
query = "SELECT * FROM users WHERE username = %s AND password = %s"
result = db.execute(query, (username, password))
return resultReal-world impact: The 2017 Equifax breach exposed 147 million records through an unpatched Apache Struts vulnerability that enabled injection attacks.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users. The victim's browser executes the attacker's script with full access to the page's DOM, cookies, and session data.
Stored XSS: Malicious script is permanently stored on the target server (in a database, message forum, or comment field). Every user who views the stored content executes the script.
Reflected XSS: Malicious script is reflected off the web application, typically via a URL parameter:
Prevention: Output encoding (escape HTML entities before rendering user input), Content Security Policy headers (restrict which scripts can execute), input validation (reject input containing script tags), and using frameworks that auto-escape by default (React, Angular).
Cross-Site Request Forgery (CSRF)
CSRF tricks authenticated users into performing unintended actions on a web application. The attacker creates a request that the victim's browser sends automatically with their existing authentication cookies.
Prevention: Anti-CSRF tokens (unique tokens in forms that the server validates), SameSite cookie attributes (prevent cookies from being sent with cross-origin requests), and requiring re-authentication for sensitive operations.
Buffer Overflow
Buffer overflows occur when a program writes data beyond the allocated memory buffer, potentially overwriting adjacent memory containing program control data (like return addresses). This allows attackers to execute arbitrary code.
Prevention: Use safe string functions (strncpy instead of strcpy), bounds checking, memory-safe languages (Java, Python, Rust), Address Space Layout Randomization (ASLR), and stack canaries.
Broken Authentication
Vulnerabilities in authentication mechanisms allow attackers to assume other users' identities:
- Credential stuffing: Using leaked username/password pairs from other breaches (users reuse passwords)
- Brute force: Systematically trying all possible passwords without rate limiting
- Session fixation: Forcing a known session ID onto a user, then hijacking that session
- Insecure password storage: Storing passwords in plain text or with weak hashing (MD5)
Prevention: Multi-factor authentication, rate limiting, account lockout after failed attempts, strong password hashing (bcrypt with appropriate work factor), and secure session management with proper regeneration after login.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal object references (like database IDs) and does not verify that the requesting user is authorized to access the referenced object.
// User A is viewing their order
GET /api/orders/12345
// User A modifies the ID to view User B's order
GET /api/orders/12346
// If the server doesn't verify ownership, it returns User B's private dataPrevention: Always verify authorization—confirm the requesting user has permission to access the specific resource, regardless of how they obtained the reference.
Security Misconfiguration
Systems deployed with default configurations, unnecessary services enabled, overly permissive access controls, or missing security headers create exploitable weaknesses:
- Default admin credentials left unchanged
- Directory listing enabled on web servers
- Debug mode left active in production (exposing stack traces)
- Unnecessary ports open in firewall
- Overly permissive CORS configuration
Prevention: Security hardening checklists, automated configuration scanning, principle of least privilege, and regular security audits of deployed infrastructure.
The Defense-in-Depth Approach
No single control prevents all vulnerabilities. Effective security implements multiple layers: input validation catches malformed data, parameterized queries prevent injection even if validation fails, least privilege limits damage if injection succeeds, monitoring detects exploitation even if all preventive controls fail, and incident response limits impact even after successful exploitation. Each layer provides protection when other layers are bypassed.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Common Vulnerabilities.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Software Engineering topic.
Search Terms
software-engineering, software engineering, software, engineering, security, common, vulnerabilities, common vulnerabilities
Related Software Engineering Topics