Security Vulnerability Classes in Popular Programming Languages

Security Vulnerability Classes in Popular Programming Languages

Seasoned developers may not be surprised to hear us announce that not all programming languages are inherently secure. In this article, VerSprite’s VS-Labs Research Team highlights common security vulnerabilities found across different programming languages and explain what developers should to consider when choosing a language as the basis for their product. We will take a close look at how security vulnerabilities can be exploited in different environments and provide insight into limitations and aspects that need to be taken into consideration when comparing different development languages. This will not only assist you in choosing what best fits your product’s needs, but also define a clear outlook into the capabilities and shortcomings of the languages.

Before diving into the technical aspects let’s define some key words that are going to be used often throughout this synopsis.

Inside This Article:

Glossary
Popular Programming Languages and Their Shortcomings
Python
Java
C
C++
Swift
PhP
JavaScript
Illustration of Vulnerability Classes by Language
Injection in Python
Uncontrolled Resource Management in Java
Out-of-Bounds Read/Write in C
Private Data Structure Returned from a Public Method in C++
Relative Path Traversal in Swift
Cross-Site Request Forgery in PHP (CSRF)
Cross-Site Scripting in JavaScript (XSS)
Advice for Developers
Don’t Get Discouraged

Glossary

A vulnerability represents a weakness in a system, system security procedures or any internal implementations and controls that can be exploited by a threat source.

An exploit refers to any crafted material, whether it is a file or code block, that takes advantage of a software vulnerability or security flaw. Exploits allow attackers to remotely access systems and networks and gain elevated privileges or execute arbitrary code within the program. Exploits are often confused with malware, but they are not actually malware, rather just a method to deliver it.

Malware represents intrusive software that is designed to damage, alter, or destroy computers and computer systems. Examples of common malware include viruses, worms (malware that spread copies of itself to other computers), ransomware (malware that uses encryption to hold a victim’s personal information as ransom), and finally Trojans (something as simple as an email that misleads victims of its true intent).

Popular Programming Languages and Their Shortcomings

Python

Python is a high-level object-oriented programming language that emphasizes code readability and ease of use. Python is a popular programming language among startups, and it is considered one of the easiest languages to learn as it provides an extensive library of toolkits, integration with other languages such as C and C++. Python is used in a wide variety of applications from artificial intelligence to financial services and data science. Popular social media platforms, including Instagram and Pinterest, are also built on Python.

Advantages:

  • Simple syntax
  • Portability
  • Vast libraries
  • Speed limitation

Disadvantages:

  • Memory Consumption
  • Portability
  • Vast libraries
  • Speed limitation

Potential Security Risks:

With its vast libraries, Python is also more vulnerable to the misuse of import functionalities and outdated dependencies that may be left unpatched as newer versions are released. Improper safeguarding during the implementation of an import functionality can enable attackers to embed untrusted input within files that are then imported into a system. Those files can contain malicious code that can target a victim in multiple ways such as leaking sensitive files and information from their system as well as hijacking the user’s device which poses a severe security risk.

Java

Java is a class-based, object-oriented programming language designed to have as few implementation dependencies as possible. The language is mostly associated with client-server applications. An application written in Java can run on any platform that supports Java. Popular applications like Spotify and Twitter are written in Java.

Advantages:

  • Automatic garbage collection
  • Portable
  • Platform independent
  • Efficient memory allocation

Disadvantages:

  • Slower performance than other languages
  • No backup facilities
  • Outdated UI and controls

Potential Security Risks:

Java gained its infamous reputation back in 2015 when a study was published showing that it posed the most security risk to US desktops, as Oracle dedicated little to no efforts to promoting new and more secure updates. While that has mostly been rectified through steady version releases, Java is still vulnerable to different types of malware injection. If this type of vulnerability is discovered and exploited by attackers, it can enable them to execute malicious commands on the behalf of the victim or gain access to sensitive information. The OWASP foundation classifies malware injection and its diverse forms at number 3 in their top 10 security vulnerability list. Recent developments have also brought to life a critical security threat coming from a vulnerability found in Log4J, a Java based logging utility. The newly discovered vulnerability allows attackers to install cryptocurrency-mining malware on affected systems and currently has a risk factor of 10 out of 10. Developers are scrambling to patch the issues and are urging the potential users of affected platforms to install the latest version patches on their devices. The vulnerability currently came to surface on various network surfaces as well as most notably Minecraft servers, and experts are warning that multiple other frameworks and systems present the potential for attack.

C

C is one of the first programming languages and represents an easy foundation language for beginner programmers. C has served as the foundation for a lot of programs and modern programming languages such as Python and PHP. Microsoft Windows and various Android applications were scripted in C and Google uses C for their file system and Chromium browser.

Advantages:

  • Easy to debug, test, maintain
  • Dynamic memory allocation
  • Built-in functions

Disadvantages:

  • More complicated syntax than some modern languages
  • Not suitable for websites or mobile applications
  • Lack of exception handling

Potential Security Risks:

Due to its lack of exception handling and reliance on string functions, C is predisposed to multiple buffer overflow and string manipulation security vulnerabilities. As a buffer overflow vulnerability can result in the corruption or overwriting of the data found in an adjacent memory space, it gives attackers a wide range of control over a program’s execution or a system’s administrative permissions. Buffer overflow was classified as the most dangerous vulnerability in the CWE top 25 list in 2019 and it currently still poses a critical risk to a lot of systems.

C++

C++ is an extension of C, and it works well for multi-device and multi-platform systems. A large set of compilers and libraries are written in C++. It is used in many engineering applications and environments and has many features. However, it is a complex language and is not as beginner friendly as other languages. Mozilla Firefox and MySQL are written in C++.

Advantages:

  • Fast and powerful
  • Standard library
  • Increasingly big job market

Disadvantages:

  • No garbage collection
  • Less flexible
  • Less safe than other languages

Potential Security Risks:

C++ has an increased use of pointers and global variables, which makes it easier for memory corruption to occur. Other than buffer overflows, C++ is also prone to injection vulnerabilities. As previously mentioned, injection vulnerabilities can be exploited by attackers in multiple ways such as hijacking control over the victim’s device or leaking sensitive information, bringing a severe security risk to improper C++ implementations.

Swift

C++ is an extension of C, and it works well for multi-device and multi-platform systems. A large set of compilers and libraries are written in C++. It is used in many engineering applications and environments and has many features. However, it is a complex language and is not as beginner friendly as other languages. Mozilla Firefox and MySQL are written in C++.

Advantages:

  • Quick development process
  • Improved performance
  • Scalability

Disadvantages:

  • Instability due to the language being new
  • Lack of backwards compatibility (developers rewrite programs for new releases)

Potential Security Risks:

Due to the language being [relatively] new, Swift suffers from insecure cryptography, specifically data storage and inadequately protected API’s. The impact of insecure cryptography flaws is quite elevated considering that encrypted information usually represents things like personal information, health records, authentication keys, etc.

PHP

PHP is used for server-side web development. It is an older language but that brings in the benefit of a well-developed ecosystem of libraries and automation mechanisms. Facebook was originally written in PHP and some of the most popular search engines including Yahoo and Wikipedia are also based on PHP. Social media site Tumblr is written in PHP as well.

Advantages:

  • Platform independent
  • Has less of a learning curve
  • Open source

Disadvantages:

  • Insecure due to ASCII text files
  • Poor quality error handling
  • Reduced job market due to popularity of other languages such as JavaScript

Potential Security Risks:

Cross-site scripting (XSS) and SQL injection are some of the most abundantly found security vulnerabilities in PHP. As cross-site scripting is the most common type of web application security vulnerability it can affect a wide variety of users. Although it is seen as less harmful than SQL injection, it still poses a great risk as attackers can use it to steal session cookies which can contain login information, granting them access to the victim’s account. SQL injection poses a critical threat as it targets servers and databases.

JavaScript

JavaScript is currently one of the most popular languages used in front-end web develop. It is used extensively for the development of browser-based content and mobile applications. There is a high demand in the job market for JavaScript developers. Popular websites and applications that are written in JavaScript include Netflix, LinkedIn, and Candy Crush.

Advantages:

  • Simplicity
  • Popularity
  • Versatility and frequent updates

Disadvantages:

  • Browser support as different browsers can interpret code differently
  • Client-side security issues

Potential Security Risks:

As JavaScript code is executed on the client-side, attackers can easily find ways to exploit it for malicious purposes. Cross-site scripting and cross-site request forgeries are some of the most found vulnerabilities in JavaScript. As previously mentioned with PHP, cross-site scripting can pose an imminent danger to the victim’s personal information. The vulnerability may also have a more elevated risk factor when exploited in a JavaScript environment due to the language’s popularity and wide adaptation.

Programming Language Vulnerability Classes

Injection in Python

Injection attacks occur when malicious threat actors incorporate a character or command during the program’s upstream component building process and pass it to a downstream component. From there, it can either cause errors or induce code execution. This vulnerability is exhibited mostly in programs that receive external input and use it towards the execution of certain procedures without adequately neutralizing or verifying it. There are multiple types of injection attacks, such as LDAP, SQL, and Command Injection.

The simple example illustrated above provides a calculator script based on a user input. If the user inputs something such as 2 * 4 it will perform as intended, however an attacker can send in something like __import__(‘os’).system(‘rm – rf /’) and result in deletion of all files and directories located in the script’s folder.

Problem Mitigation:

Problems like the example above can easily be mitigated through input validation. When designing a program, one must assume that all input is malicious and carefully regulate each instance where input is accepted. Any input that does not conform to previously established specifications must be rejected.

Uncontrolled Resource Management in Java

Resource management is extremely important during the development process, as systems only have a finite amount available for a multitude of processes. This vulnerability, CWE-400, occurs when the software does not adequately control the allocation and maintenance of a limited resource, enabling attackers to influence the usage of the resource which can lead to a denial of service.

The example above illustrates the creation of a server socket and client connection to the socket. As the program does not attempt to limit the creation of client connections to the socket, it can potentially overwhelm the system resources, causing a denial of service.

Problem Mitigation:

The number one provision preventing this type of vulnerability is that program protocols have specific limits placed on them. In case of an attempted attack, throttling mechanisms (limiting the number of resources that an unauthorized user can cause to be expended) can also be implemented to further protect the system resource usage. If there are failures that occur during resource allocation, the system should go into a safe operation mode.

Out-of-Bounds Read/Write in C

The two most sever vulnerabilities of C are its ability to read and write data past the allocated buffer of the variable/object that a specific program is handling. This vulnerability is most often encountered in languages like C and C++, which do not perform memory management on their own. The possible consequences of the two vulnerabilities are leaking sensitive information allocated on the stack or modifying it, which can result in denial of service or arbitrary code execution.

The example on the left side (above) demonstrates Out-Of-Bounds Read by printing past the array allocation on the stack and displaying other variables further up the stack. On the right-side, data past the array bounds is being overwritten with the specified character. You can see the modified values of the stack variables in the output window.

Problem Mitigation:

To prevent this, adequately check buffer boundaries and truncate input strings. Additionally, you can also use different languages that perform their own memory management such as Java and C#. VerSprite’s VS-Labs recently uncovered an Out of Bounds zero-day in Opto 22’s Basic PAC Software. Read more about our responsible disclosure and see how we discovered the vulnerability in our zero-day report.

Private Data Structure Returned from a Public Method in C++

This vulnerability, CWE-495, occurs when the program contains a public method that returns a REFERENCE to a private data structure. This gives an attacker the opportunity to modify the content of the data structure from outside the scope.

While it seems like a beginner mistake, sometimes it is easy to forget to properly manage variables throughout the program, especially in simpler functions within complex systems. In the example image above, the class returns non-constant references to private members which can be altered from outside of the control of the class.

Problem Mitigation:

There are a few ways to ensure your program is safe from this vulnerability:

  • Make the method declaration private.
  • Clone member data and keep the unmodified version private
  • Use of getter and setter methods to manage the modification of a private member

Relative Path Traversal in Swift

This vulnerability, CWE-23, is enabled when the software uses external input to resolve a pathname that should be within a specified restricted directory but does not take any precautions towards neutralizing certain sequences that can resolve to locations outside of the specified directory.

The example above resembles the structure adopted by a social media application in which users’ profiles are stored in separate files within the same directory. The code segment lacks adequate verification of the user parameter; therefore, an attacker could send in something like: ../../etc./password which will allow to read the text of the password file of a specific user.

Problem Mitigation:

Input validation is by far the best solution of countering this vulnerability. Programmers can define a list of acceptable inputs that conform to specifications depending on what the function or program’s intended use is.

Cross-Site Request Forgery in PHP (CSRF)

This vulnerability refers to CWE-352. Cross-Site Request Forgery in PHP occurs in web servers that are meant to receive a request from a client, but the web server does not adequately verify whether the request is well-formed, valid, consistent, or that it was intentionally send by an authorized user. This enables attackers to trick the client into making an unintentional request to the web server which will be treated as authentic. It can come in the form of a URL, image load, etc.

vulnerabilities in programming

This segment of code may seem protected through the valid session checking element inside of it, but attackers can still stage a CSRF attack through an innocent looking web page. The form used to create the front end of the web page contains hidden fields that users will not notice. The code will automatically execute when the victim loads the web page, enabling the attacker to gain access to the user’s emails in this case, or any other sensitive information a web server may handle.

Problem Mitigation:

Programmers can use a vetted library or framework to prevent this. Programmers should avoid using GET methods for requests that trigger changes. Use of cookies can also help by generating a cookie for an authorized user and one for the form value of a request and making sure the cookies match when a POST request is sent.

Cross-Site Scripting in JavaScript (XSS)

More information on Cross-Site Scripting in JavaScript can be found by referencing CWE-79. XSS occurs when untrusted data enters a web application through a request and the application generates a web page containing the malicious data. During this generation, the program does not prevent the creation of content that is executable by a web browser, which leads to victims visiting the generated page. The victim’s browser executes the malicious script.

There are three types of Cross-Site Scripting:

  1. Reflected: Attacker supplies victim with malicious content (usually a URL) through a vulnerable web application which is then reflected into the user’s web application. This sits at the base of most phishing schemes.
  2. Stored: Web application stores malicious content into a database which is then converted into dynamic content when read back into the application.
  3. DOM-based: Involves sending a trusted script to the client that processes user-defined data and then injects it back into the web page.
vulnerabilities in programming

The example above represents a simple implementation of Stored XSS, where the code segment queries a database for an employee and prints the employee’s name based on a given ID.

Problem Mitigation:

As always, programmers can use a vetted library or framework that prevents this weakness from happening or provides constructs that aids in avoiding the vulnerability. Programmers should also have a clear understanding of the data that will be use within the system and apply adequate encoding measures. Always keep track of potential areas where untrusted input can be supplied into the system. Input validation techniques can also be applied in the context of this vulnerability.

Advice for Developers

While class vulnerabilities might seem like deal breakers for using certain languages, do not let yourself get discouraged from using it in your development. You must remember that while there is always a possibility of an attacker attempting to exploit your product, thorough research and time investment into protection facilities can mitigate most if not all attack events.

Here are a few steps that you can follow to ensure the safe development process and usage of your product:

  1. Choose the language that best fits your product.

    When choosing a programming language, you must always keep in mind its capabilities to accomplish the needs and procedures of your intended product. Make sure you choose a language that show continuous improvements and new releases, as updating to the newest versions ensures the best maintenance and security measures.

  2. Be flexible towards future developments in the field

    The programming field is ever-changing, therefore develop back-up plans and be open to using different languages for your product, as languages come and go all the time. Remember, throughout history there have been countless popular languages that are barely or not even used in today’s new developments.

  3. Research your language’s weaknesses.

    Knowing the vulnerabilities that your language is exposed is the most important measure you can take in combating attackers as you can devise a strategy and develop your program’s architecture in a way that does not allow weaknesses.

  4. Implement security measures in compliance with official programming protocols.

    Most companies have an official protocol on how their development process takes place. Adhere to your company’s rules and go through the appropriate means of developing a project such as peer review and security testing.

  5. Test your product and try to find ways to break into it.

    You can either try to exploit the product yourself or hire a company that can identify security vulnerabilities that the program might inhibit.

Don’t Be Discouraged

Vulnerability classes are extremely diverse and can be overwhelming to keep track of during the development process. Make sure you set aside an adequate amount of time for research and experimentation, as exploits can take different forms across the structurally different programming languages. Always keep in mind that there are a multitude of well-documented resources online, such as Mitre’s CWE, OWASP Foundation’s studies, and many others that are at your disposal to help you make educated decision and implement safety protocols. For companies that want to inject security into every step of the development process, you can contact our security consultants to help your team choose the best language and map security checkpoints along the way.

VerSprite Security Research Team

Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting products and software. Learn More →

View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.