It is very hard to make a Java web server bug cough up a shell. It is very hard to make a C web server bug NOT cough up a shell.
What additional value does that give an attacker for a webapp with a modern containerized deployment?
-
-
The exact same thing SQLI gives you: game over for that application.
-
I am not disputing that SQLI is as bad as RCE. It almost always is.
-
I’m saying two game-over vectors is worse than one.
-
(incidentally: my faith in “containerization” as protection for losing code execution: not at all high)
-
I don't see most use as a "protection"; rather it just makes throwing away & replacing a compromised environment easy.
-
Yes, but to do that, you have to trust that the host isn’t compromised, and you probably shouldn’t.
-
Maybe in 5 years or so, we’ll be at a point where a typical best-practices non-hardened container survives RCE.
-
Linux kernel security is trending in the wrong direction. More complexity, more attack surface, more code churn.
- 19 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.