It is very hard to make a Java web server bug cough up a shell. It is very hard to make a C web server bug NOT cough up a shell.
If app is properly isolated/containerized, a shell is not worth much compared to what you get from common webapp lang vulns.
-
-
Shell isn’t much worse than SQLI, which you ALSO get with C web apps; way worse than everything else.
-
Except for PHP’s insane RFI problem, the web tier vulns as bad as RCE are all shared by C. Even unmarshalling!
-
I don't claim C inherently fares better here, just maybe not significantly worse.
-
It’s worse! Because in addition to SQLI, file access vulns, and races, you also get memory corruption.
-
What additional value does that give an attacker for a webapp with a modern containerized deployment?
-
The exact same thing SQLI gives you: game over for that application.
-
I am not disputing that SQLI is as bad as RCE. It almost always is.
-
I’m saying two game-over vectors is worse than one.
- 24 more replies
New conversation -
-
-
It's DB/data access, not shell/root on a container that can just be rm'd & recreated, that's valuable.
-
There are many other aspects to language security beyond memory safety, but that's the base it's all built upon.
-
Java was the counter-example, and it's a lot less prone to those issues than a dynamically typed language.
-
Better would be a language with a more useful type system rather than one seemingly designed to get in the way.
-
_With right coding policy_, I think C could be a reasonable lang for web apps, not sig. higher risk vs php etc
-
You can think that and I’m sure you’re quite smart but that is just wrong.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.