Five Programming Languages That Carry Hidden Exploitable Flaws Exposing Apps to Attacks
Is it always the bad coders who introduce security issues or can it be the programming languages too that expose apps to attack? According to one researcher even the languages have inherent flaws that put applications parsed by them at security risk.
This means that even if an application has been securely developed, it may still carry unidentified vulnerabilities in the underlying programming languages. Since many of these are well known flaws, attackers can potentially target these flaws (in the programming language) to modify app's behavior or target their users.
"This means applications are only as secure as the programming languages parsing the code."
In Ruby, for example, the open() function is typically used to request URLs with the open-uri library. However, it can also be used to execute operating system commands remotely with weak input validation and a pipe.
In Python's example, Arnaboldi said the programming language has "undocumented methods and local environment variables that can be used for OS command execution." In PHP, certain functions can be passed a constant's name to execute remote commands; NodeJS could leak file contents through error messages it outputs, and so on.
"The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," Arnaboldi said. "Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee," he added. "Some of these behaviors pose a security risk to applications that were securely developed according to guidelines."