Software Defectsfield guide to stateful defects

defects you only see when the app is running

Runtime & Integration Flaws (DAST)

Dynamic testing exercises the running system from the perimeter: reflected XSS, crash-under-malformed-input, and security misconfiguration. They are invisible to a static read of any single function -- you have to run the thing to see them.

DAST pokes the live app from outside; these bugs hide in behavior, not source.

01in the wild

In the wild

Reflected XSS

User input echoed into HTML unescaped runs as script -- a dynamic scan watches the alert fire.

example.js
// SMELL: user input echoed into HTML unescaped
app.get("/hi", (req, res) =>
  res.send(`<h1>Hello ${req.query.name}</h1>`));   // name = <script>...

// RIGHT: escape on output (or use an auto-escaping template engine)
app.get("/hi", (req, res) =>
  res.send(`<h1>Hello ${escapeHtml(req.query.name)}</h1>`));
A dynamic scan submits <script> and watches it execute -- a defect invisible in a static read of one function. Escape untrusted data on output.
// observed
raw:     <script>alert(1)</script> runs
escaped: shown as literal text

Crash Under Malformed Input -> DoS

An unbounded, unvalidated parameter is a denial-of-service waiting to be fuzzed.

example.py
# SMELL: unhandled parse + unbounded work takes the worker down
@app.post("/calc")
def calc():
    n = int(request.form["n"])     # "abc" -> ValueError -> 500, repeatable
    return str(fib(n))             # n = 10_000_000 -> CPU exhaustion

# RIGHT: validate and bound before doing work
n = request.form.get("n", "")
if not n.isdigit() or int(n) > 1000:
    abort(400)
DAST fuzzes the endpoint and finds inputs that crash or hang it. Validate and bound every parameter -- software that crashes becomes a Denial of Service.
// observed
naive:   'abc' -> 500; huge n -> hung worker
bounded: a clean 400, work stays cheap

Security Misconfiguration

Verbose errors and permissive defaults shipped to production are exposures a scanner finds at the perimeter.

example.js
// SMELL: debug errors and wildcard CORS shipped to production
app.use(errorhandler());              // leaks stack traces to clients
app.use(cors({ origin: "*" }));       // any site can call your API

// RIGHT: prod-safe errors; lock the origin
if (PROD) app.use(genericErrorPage());
app.use(cors({ origin: ["https://app.example.com"] }));
Misconfiguration is what DAST catches at the perimeter: verbose errors leak internals and wildcard CORS invites abuse. Ship hardened defaults.
// observed
open:   stack traces + any-origin requests
locked: generic errors, allowlisted origins
example.tf
# SMELL: a storage bucket left open to the world
resource "aws_s3_bucket_acl" "data" {
  acl = "public-read"           # anyone can list and read objects
}

# RIGHT: private by default; grant access explicitly
resource "aws_s3_bucket_acl" "data" {
  acl = "private"
}
Infrastructure misconfiguration is the same defect at the cloud layer -- a public bucket is a runtime exposure a config scan or DAST will flag.
// observed
public-read: objects exposed to the internet
private:     access only via explicit grants
02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.