The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

An interpreted language is one whose execution involves a runtime compo-

nent that interprets the code of the language and carries out the instructions

that it contains. In contrast to this, a compiled language is one whose code is

converted into machine instructions at the time of generation; at runtime,

these instructions are then executed directly by the processor of the computer

that is running it.

In principle, any language can be implemented using either an interpreter

or a compiler, and the distinction is not an inherent property of the language

itself. Nevertheless, most languages are normally implemented in only one of

these two ways, and many of the core languages used in the development of

web applications are implemented using an interpreter, including SQL, LDAP,

Perl, and PHP.

Because of the way that interpreted languages are executed, there arises a

family of vulnerabilities known as code injection. In any useful application,

user-supplied data will be received, manipulated, and acted upon. The code

that is processed by the interpreter will, therefore, comprise a mix of the

instructions written by the programmer and the data supplied by the user. In

some situations, an attacker can supply crafted input that breaks out of the

data context, usually by supplying some syntax that has a special significance

within the grammar of the interpreted language being used. The result is that

part of this input gets interpreted as program instructions, which are executed

in the same way as if they had been written by the original programmer. Often,

therefore, a successful attack will fully compromise the component of the

application that is being targeted.

In compiled languages, on the other hand, attacks designed to execute arbi-

trary commands are usually very different. The method for injecting code does

not normally leverage any syntactic feature of the language used to develop

the target program, and the injected payload normally contains machine code

rather than instructions written in that language. See Chapter 15 for details of

common attacks against compiled software.

Consider the following very simple example. Helloworld is a shell script

that prints out a message supplied by the user:

#!/bin/bash

echo $1

When used in the way the programmer intended, this script simply takes the

input supplied by the user and passes this to the echo command, for example:

[manicsprout@localhost ~]$ ./helloworld.sh “hello there”

hello there