Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Taxonomy of Software Flaws

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]

Classes of Software Security Flaws and Vulnerabilities: 

  • Including vulnerabilities in server applications and client applications, e.g. UNIX programs (sendmail, BIND, etc), server-type program (ftp, http, irc, finger, etc.), mail clients (MS Outlook, Netscape mail, etc.), COTS, etc. 
  • Not including vulnerabilities related to network, computer system environment, configuration, system design, system access validation, etc. 
  • Each class of vulnerability may have a collection of subclasses. Each subclass is a variation of the class. The whole collection of subclass does not intend to fully represent that class. 
  • Each attack may exhibit any combination of the vulnerability classes and/or subclasses.

Input Validation Error: Input passed to an application is not properly validated such that vulnerability can be exploited by a certain input sequence.

  • Boundary Overflow: Input exceeds an assumed boundary thereby causing vulnerability. For example, the application may run out of memory, a variable might reach its maximum value and roll over to its minimum value, etc.
  • Buffer Overflow: A special case of Boundary Overflow, where the bounds checking on the size of input being stored in a buffer array is not performed or in error. This type of vulnerability comes with different flavors, include:
    • Upper/Lower Bound: Upper or lower bound is violated.
    • Data Type: Buffer of all data types (character, integer, floating point, wide character, pointer, unsigned character, and unsigned integer) may be overflowed. The attacker may use different technique for different data type to exploit the buffer overflow vulnerability.
    • Memory Location: Buffer may reside in different locations (stack, heap, data region, BSS, shared memory, etc.). The attacker may use different technique for different memory location to exploit the buffer overflow vulnerability.
  • Malformed Input: Input passed to a procedure call in an application is not properly checked such that vulnerability can be exploited by a certain input sequence.
  • Tainted Input to Call-Out Resources
    • Command Injection: Input passed to a command isn't properly sanitized before being used in a command execution call such as system (), exec() or popen(). This can be exploited to inject arbitrary shell commands.
    • SQL Injection: Input passed to SQL query of an application, mostly found within webpages with dynamic content, isn't properly sanitized before being used. This can be exploited to cause computer security breach.
  • Format String: Hostile input passed as the format string for a variable arguments routine such as printf, the attacker can write arbitrary values to memory. The %n directive is particularly susceptible to attack.
  • Cross-Site Scripting: A web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user. 
  • Directory Traversal: Directory traversal is an exploit that performs malicious activities such as accessing restricted directories, executing commands and viewing data outside the normal server directory where the application content is stored. Commonly, this vulnerability occurs when the web server software fails to validate input received from browsers.

Exceptional Condition Handling Error: The handling (or mishandling) of the exception by the application enables a vulnerability.

Symlink Problem: When temporary file being created insecurely, it can be exploited via symlink attacks to create and overwrite arbitrary files with the privileges of the user running the affected script.

Insecure Access Control Application level: Access control mechanism is faulty; bad permission.

  • Privilege Escalations: Unauthorized users gain escalated privileges.
  • Improper Database Access: Database server improperly sets the access control for its clients. The client might be able to run arbitrary code on the server.

Cryptographic Error Application level: Cryptographic service is faulty.

Random Number: A random number vulnerability occurs when a program uses a method of generating random numbers is predictable, e.g. rand(), random().

Race Conditions: A race condition occurs when multiple processes access and manipulate the same data concurrently, and the outcome of the execution depends on the particular order in which the access takes place. A race condition is of interest to a hacker when the race condition can be utilized to gain privileged system access.

Memory Leak: A flaw in a program that prevents it from freeing up memory that it no longer needs. As a result, the program grabs more and more memory until it finally crashes because there is no more memory left.

Null Pointer Dereference: Under some circumstances, a null pointer may be dereferenced during a memory allocation.

Backdoor/Input Sensitivity: Some specific input triggers malicious code.

Other: It is estimated that approximately 21% of CVE vulnerability entries are not classified.

Created March 30, 2021, Updated May 17, 2021