The correct answer is A. Design Flaws because the weaknesses originate from fundamental development-time decisions in how the application was architected—specifically (1) selecting or creating a weak custom encryption algorithm and (2) implementing session validation in a way that allows requests to bypass access controls. In CEH-aligned vulnerability classification, design flaws are problems embedded in the application’s design and logic, not merely bugs from implementation mistakes, misconfiguration of a server setting, or missing vendor patches. They are often systemic: even if the code is “working as intended,” the intent itself is insecure.
The prompt explicitly states the issues are “traced back to flawed system logic and poor encryption design decisions made during the development phase.” That description maps directly to design flaws: using “homegrown crypto” instead of vetted cryptographic primitives and protocols is a classic design error because it typically lacks proper peer review, threat modeling, and proven resistance to cryptanalysis. Likewise, session validation that permits bypassing access controls indicates the application’s authorization/session model was designed incorrectly (for example, trusting client-side state, failing to enforce server-side checks consistently, or allowing unauthenticated endpoints to access privileged operations).
Why the other options are less accurate: Application flaws is a broad label that can include coding bugs, but the question is asking for the best category given that the root cause is architectural decisions rather than a narrow coding mistake. Misconfigurations/weak configurations usually refer to insecure settings in deployment (default credentials, permissive headers, weak TLS configuration), not a custom crypto algorithm and flawed session logic baked into the app. Poor patch management concerns failing to update known vulnerable components; here, the weakness is custom logic, not an unpatched third-party vulnerability.
Therefore, the most accurate category for these development-phase encryption and session/authorization weaknesses is Design Flaws.
