A software vulnerability is a programming error that allows an attacker to gain unauthorized access. The way an attacker uses a software vulnerability is known as an exploit. Some vulnerabilities are easy to exploit. Others require knowledge about how computers process instructions. Sometimes an attacker will create a script or a set of instructions about how to exploit a vulnerability. When this information becomes widely known, less experienced attackers can exploit the vulnerability. These less experienced attackers are called script kiddies.

The most common cause of a software vulnerability is lack of data validation. All data that is input to a program should be validated to ensure that it does not contain code that performs a malicious task.

A common vulnerability is one that allows a command-line injection attack. In a command-line injection attack, an attacker identifies an input vector that allows operating system commands to run. An input vector includes a place in the program where input is required and not validated, as well as the way the input must be formed to exploit the code. After the attacker identifies the input vector, he constructs the payload. The payload is the command that does damage. In the case of a command-line vulnerability, that damage might be viewing a confidential file, downloading a confidential file, or even formatting the computer's hard disk, thus destroying all data.

Another common exploit is the SQL injection attack. A SQL injection attack is similar to a command-line injection attack, except that it uses a dynamically constructed SQL query to cause the database management system to execute malicious code.

Both of these exploits can be prevented if programmers validate all input that might be able to gain access to either the operating system shell or a database management system. However, input validation is not easy. There are two ways to validate input. The best way is to verify that all input meets specifications. For example, it must be within a specific length, include only a certain range of characters, and not contain any code. Another way is to check the input for malformed input used in known attack patterns, such as the apostrophe, which is used to make a database server ignore any characters that follow it. Relying solely on checking for known attack patterns is dangerous because new exploits are crafted all the time. The challenge for a software developer is to think like an attacker. Identify the places in the code that present the highest risk, then line up your defenses to protect them. Validate all data that flows into those parts of the code. Set strict requirements on acceptable input. Trust no one who can enter through those defenses. Even a seemingly innocent user can carry a fatal payload.

Learn more about this author, Rachelle Reese.
Click here to send this author comments or questions.

---

Add your voice

Know something about About software vulnerabilities ?
We want to hear your view. Write now!