In this tutorial, we take a look at the potential impacts of different types of programming errors that could lead to vulnerabilities in the application.
A vulnerability is a weakness that can be exploited by a cyber attack to gain unauthorized access to software or a computer system. It’s important to know the potential impact of each vulnerability that might be found in a program. Many vulnerabilities can come as a result of poor programming. One pretty intense example of a computer bug that actually turned deadly is the story of the Therac-25. The Therac-25 was a radiation therapy machine manufactured in the 1980s. There was a malfunction error which turned out to be a programming error made in development. It ended up being a severely important one which caused the machine to administer massive overdoses of radiation. This error caused four deaths before the manufacturers figured out what was going on.
Integer overflow is an example of a programming error that can be easily exploited. This is actually part of what happened with Therac-25. Integer overflow takes advantage of that the fact that programming languages can be limited by the numerical values they can understand or interpret. Although the number system as we know it is infinite, there is a finite number of storage values which means that the number system is limited by a storage constraint. This leaves room for error and unexpected results if a user attempts a number that is higher than the maximum or lower than the minimum. When this happens, depending on the programming language used, the value can be “rolled over” to either a 0, or some unexpected value like infinity. As you can imagine, this can result in logic errors within the program. In the Therac-25 program, there was an overflow problem that occasionally set a value of a number to 0 which resulted in certain safety measures being bypassed.
Exercise 1: Integer Overflow
In JavaScript, there is a maximum and a minimum value that can be stored. The variables used for these are MAX_VALUE
and MIN_VALUE
.
In the activity below, the use of the maximum value is demonstrated. Click on Run Code. What happens in the second line that is printed? What is returned?
Add to the program to include and print the minimum value. What happens if you try to print a value that is below the minimum value?
Another flaw that can be a result of poor programming is how error cases are handled. Programs should include useful debugging information so that users can trace the cause of the error. If the error message is too vague, the user might not know how to fix the problem. However, programmers also don’t want to share overly detailed debugging information with the outside world. The image below is a result of a SQL injection. If precautions aren’t made during programming, SQL injection can occur by just adding an extra character in the web address bar or an input field. The image shows the error page that is displayed that offers up way too much information. Attackers could gain access to databases, filenames, file paths, and more.
Programmers are responsible for input handling as they build and develop a website or program. Input handling is deciding what responses will result from what the user inputs into the program or website. It is connected to error messages and more. Improper input handling creates a large number of vulnerabilities that can lead to SQL injection and other attacks.
To avoid this, it is important for the programmer to write the program such that the form and type of data that is accepted is validated by the application. For example, if a number is expected to be inputted, then the form should not accept anything but a number.
Exercise 2: Input Handling
Click on the Run Code button and test out the following:
1. What happens if you enter a test score of 110?
2. What happens if you enter a test score of -5?
3. What should happen?
4. How could this be a vulnerability?
Advanced: Change the program to properly validate the input. The answer is hidden at the bottom of the code editor.
Exercise 3: Input Validation
Click on the Run Code button and test out the following:
1. What happens if you enter an age of 110?
2. What happens if you enter an age of -5?
3. What happens if you enter your name instead of an age?
4. What variables should be validated? Describe what you should check for.
5. Could integer overflow occur for the variable total?
Advanced: Change the program to properly validate the input. The answer is hidden at the bottom of the code editor.