或许你是一个顶级的开发人员或者是一个顶级程序员,但是你是否知道,程序语言会产生最多的软件安全漏洞。
最近,大量报道的出现,让人们的注意力转移到了Drupal 和WordPress的漏洞上边。许多攻击行为已被归因为黑客在利用WordPress上的漏洞,并且在Drupal上也出现了类似的情况。然而,现在已经发现了罪魁祸首,而且它长期在产生不良影响,那就是PHP语言。
最糟糕的语言
在过去的18个月中,Veracode研究了超过50000个应用程序,这些程序都使用了流行的语言,比如PHP, Classic ASP, .NET, C和C++, Java, JavaScript, iOS, Android, Ruby, ColdFusion, 以及 COBOL。该报告的产生是基于对一些语言的问题的分析。例如,根据报告显示,有86%的软件用PHP编写,至少存在有一个XSS漏洞。
此外,根据报告显示,至少有56%的软件存在一个SQL注入漏洞。对于Classic ASP和ColdFusion用户,SQL注入漏洞的结果更令人担心,因为根据报告显示,有64%的软件使用了这两种语言,所以至少存在一个SQL注入漏洞。根据OWASP的测试结果显示,类似的情况在ColdFusion, PHP, 和 Classic ASP上也有出现。按此情况看,在论及软件安全性的时候,这些语言是最糟糕的语言。
Veracode的创始人和首席技术官Chris Wysopal说,SQL注入攻击一直持续不断的原因就在于类似于PHP语言的使用。这样的语言很难保证程序安全。据他所说,脚本语言导致了最近如此多的XSS漏洞,缓冲溢出以及SQL注入攻击事件的发生,根据Veracode基于云数据分析和应用研究的报告数据,可以轻易证实他的理念。
出现这些问题的原因
产生这些漏洞的主要原因是,这些语言使用的方式,以及例如PHP, Classic ASP 和ColdFusion语言的设计方法。这些语言缺少像.NET and Java的内置功能和安全APIs,这也就是为什么这些脚本语言,会更易导致XSS漏洞,缓冲溢出和SQL注入攻击的出现。
SQL注入攻击在SQL查询没有绑定参数时发生,PHP对于绑定参数根本起不到任何作用,因此使得它更易受到SQL注入攻击。
由于PHP, ColdFusion 和 Classic ASP语言目前主要是由那些刚进入编码领域的网页开发者使用,他们主要关心的是让他们的网站看上去更棒,所以他们没有使用提供安全功能的语言,如.NET和 Java。很多时候,这甚至不是开发人员的错,因为不管他们的公司提供给他们什么平台,他们也必须工作。
移动语言
上文提到的Veracode的报告,还提供了Android和iOS应用程序的研究结果。当你比较它们时,在安全方面没有很大程度的差异。87%的Android程序存在有漏洞,与之相比,情况比较类似,有81%的iOS程序存在漏洞。在这两种语言中,存在如此多的漏洞的主要原因是,没有执行适当的SSL证书检查,以及使用过时的密码加密算法。这样的做法导致了安全漏洞。
结论
ColdFusion, PHP, 和Classic ASP,这三种最糟糕的语言产生最多的软件安全漏洞。这些语言在Veracode的分析报告和OWASP的测试报告中,表现的最差,这说明它们在其他的语言中有最多的安全漏洞。
由于超过70%的内容管理使用了如Drupal, Joomla,和 WordPress系统,这些系统都是基于PHP语言的,这份报告应该公开那些使用了这些内容管理系统和脚本语言的公司。
本文由 360安全播报 翻译,转载请注明“转自360安全播报”,并附上链接。
原文链接:https://www.hackread.com/program-languages-that-generate-most-software-security-bugs/
Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PMLaravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-
cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AMThe PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PMLaravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>
PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PMPHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot
12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PMDo you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom
Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PMArticle discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
Customizing/Extending Frameworks: How to add custom functionality.Mar 28, 2025 pm 05:12 PMThe article discusses adding custom functionality to frameworks, focusing on understanding architecture, identifying extension points, and best practices for integration and debugging.
Alipay PHP SDK transfer error: How to solve the problem of 'Cannot declare class SignData'?Apr 01, 2025 am 07:21 AMAlipay PHP...
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 English version
Recommended: Win version, supports code prompts!
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
SublimeText3 Mac version
God-level code editing software (SublimeText3)
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
