According to a study conducted by IOActive senior security consultant Fernando Arnaboldi, protected applications are vulnerable to attacks due to vulnerabilities in the interpreted programming languages on which they are written. The interpreted programming language differs in that the source code is not converted into a machine code for direct execution by the central processor (as in compiled languages), but is executed using a special interpreter program.
The essence of fuzzing as a testing technique is that the system passes incorrect, unexpected or random data to the application on the output. This method is effective for preventing memory leaks that lead to the hangup or crash of programs. Typically, such problems are easily solved by optimizing the source code, but sometimes they are fraught with security-related problems and do not depend on the developers of the final software.
It was found that Python contains undocumented methods and local environment variables that can be used to execute commands at the operating system level, and Perl contains a typemaps function that can execute the eval () code. As for NodeJS, it produces errors that partially reveal the contents of the file. JRuby loads and executes extraneous code for functions that do not expect this, and PHP constant names can be used to execute commands remotely.
“Software developers can unintentionally inject code into the application, which will then be used differently than the authors of the application assumed. Some variants of its behavior can pose a serious risk for the security of applications, even if their development was conducted in full compliance with the safety standards, “Arnaboldi said.
Experts found vulnerabilities in programming languages before. So, Veracode published the results of a study of the dependence of the number of vulnerabilities in the code from the programming language used. The study performed a static analysis of more than 200 thousand applications, which showed that the greatest number of security-related errors are present in the code of projects in ASP, ColdFusion and PHP.
In 2013, a massive attack was recorded on sites using obsolete editions of the Ruby on Rails framework containing the undefined vulnerability CVE-2013-0156. Given that PHP and Ruby on Rails are written platforms Drupal, Joomla and WordPress, whose share among content management systems is about 70% and with a quarter of the largest sites on the Web, the PHP language is listed as causing the greatest security problems.