Writing bug-free software is practically impossible, due to the impracticality of predicting every way in which code might be executed.
But even if developers go above and beyond to avoid flaws that can be exploited by hackers, attackers can often still take advantage of vulnerabilities in the design of the underlying programming language.
At the recent Black Hat Europe conference, IOActive security services revealed it had identified flaws in five major, interpreted programming languages that could be used by hackers in crafting an attack.
"With regards to the interpreted programming languages vulnerabilities, software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee," it writes.
SEE: Hiring kit: Python developer (Tech Pro Research)
"Some of these behaviors pose a security risk to applications that were securely developed according to guidelines."
These are the five programming languages and the flaws that were identified:
Currently enjoying a surge in usage, Python is regularly used by web and desktop developers, sysadmin/devops, and more recently by data scientists and machine-learning engineers.
The IOActive paper found that Python contains undocumented methods and local environment variables that can be used to execute operating-system commands.
Both Python's mimetools and pydoc libraries have undocumented methods that can be exploited in this way, which IOActive used to run Linux's id command.
Popular for web server scripting, sysadmin jobs, network programming and automating various tasks, Perl has been in use since the late 1980s.
IOActive highlights the fact that Perl contains a function that will attempt to execute one of the arguments passed to it as Perl code. It describes the practice as a "hidden feature" within a default Perl function for handling typemaps.
IOActive found that NodeJS' built-in error messages for its require function could be exploited to determine whether a file name existed on the machine and to leak the first line of files on a system—potentially useful information for an attacker.
The Java implementation of the Ruby programming language was found to allow remote code execution in a way that isn't possible in Ruby as a base language.
By calling executable Ruby code using a specific function in JRuby, IOActive was able to get the function to execute an operating system command, the Linux command id, by loading a file on a remote server.
The venerable server scripting language was used to call an operating system command, again the Linux command id, using the shell_exec() function and by exploiting the way PHP handles the names of constants.
"Depending on how the PHP application has been developed, this may lead to remote command execution," say researchers.
That said, many web admins have long known the potential risk posed by PHP's shell_exec() function, and how to disable it.
Exploitable flaws in each programming language were identified using a tool called a differential fuzzer, which was designed to automatically find vulnerabilities. The fuzzer works by running through a large array of scenarios in each language, calling each of the languages' native functions with a wide variety of different arguments and observing the results.
- 8 skills programmers must master before a technical interview (TechRepublic)
- 10 ways that IT pros and developers can keep their tech skills up to date (TechRepublic)
- The 10 easiest programming languages to learn (TechRepublic)
- Learn these 3 languages now if you want to become a data scientist (TechRepublic)
- Programming languages: Your best options (ZDNet)
- IT Hiring Kit: Programmer (Tech Pro Research)
Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.