It is very hard to make a Java web server bug cough up a shell. It is very hard to make a C web server bug NOT cough up a shell.
I don't claim C inherently fares better here, just maybe not significantly worse.
-
-
It’s worse! Because in addition to SQLI, file access vulns, and races, you also get memory corruption.
-
What additional value does that give an attacker for a webapp with a modern containerized deployment?
-
The exact same thing SQLI gives you: game over for that application.
-
I am not disputing that SQLI is as bad as RCE. It almost always is.
-
I’m saying two game-over vectors is worse than one.
-
(incidentally: my faith in “containerization” as protection for losing code execution: not at all high)
-
I don't see most use as a "protection"; rather it just makes throwing away & replacing a compromised environment easy.
-
Yes, but to do that, you have to trust that the host isn’t compromised, and you probably shouldn’t.
- 21 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.