How programming languages can hurt your application’s security

Posted on

The attacker can accomplish this by “tainting” the log file with a bad URL request that includes a GET request with a parameter value of <%= `ls` %>; this would result in that expression being logged. Using the vulnerability to access the log file, which gets rendered, will then result in being able to run arbitrary commands on the system—in this case the command ls.

A full and excellent description is at NVisium’s blog.

A similar risk exists in Ruby itself, as discovered last year by Brett Buerhaus. On AirBnB’s site, he found a vulnerability due to Ruby’s ability to do string interpolation. In Ruby, string interpolation works like this:

name = "Ada"
puts "Hello, #{name}!"

Thus, anything within #{} is evaluated, including Ruby’s instruction for an OS-level exec, %x. Hence #{%x[‘ls’]} will execute an ls on the machine, and tricking the server into interpreting it will result in a successful compromise.

In this case, AirBnB’s code interpreted the values handed to it via JSON. A full description can be found here and illustrates how a native convenience feature of a language can have dramatic consequences when dealing with untrusted data. Such flaws are extremely pernicious in highly dynamic languages such as Ruby, which is used for rapid application development. But what about languages that are compiled?

Java: Don’t let it surprise you

Java is the venerable language of the server-side web. Despite being the most studied from a security perspective (compared to Python and Ruby), being compiled to bytecode, and having a security focus from the early days of its design, it too suffers from exploits that compromise apps in surprising ways.

Equifax is in the news for experiencing one of the worst data breaches in history. The breach, it has been announced, was due to a vulnerability in Apache Struts CVE-2017-5638. (Arguably, the failure of Equifax was not due to just an unpatched vulnerability, but rather a systematic failure of security, but that’s beyound the scope of this discussion.)

Prev4 of 6Next

Leave a Reply

Your email address will not be published. Required fields are marked *