Understanding programming languages is essential to finding vulnerabilities and writing exploit code. A programmer attempting to write a buffer overflow exploit for a Java program is wasting his or her time. Likewise, understanding how a programming language interacts with the underlying system is vital to writing shellcode. To this end, this chapter combines basic programming instruction with the characteristics of four common programming languages.

Each of the languages discussed in this chapter has its own unique strengths and weaknesses. All four languages share features including data types and basic programming concepts such as functions and loops. While decades old, C is still a useful language. This simple, efficient language may be used to quickly create powerful programs. For this reason, vulnerability exploit code is frequently written in C, as are programs designed to interact with the UNIX operating system. Newer languages such as Java and C# (along with the .NET framework) provide portability and modern security features. Classes and functions may be marked private, and data hiding is made simple. Automatic garbage collection provides protection against coding bugs and memory leaks. Programming languages can render entire classes of vulnerabilities obsolete. With automatic array boundary checking, Java and C# protect against stack and heap overflows.

While this is a step in the right direction, no programming language can ever ensure the security of all programs written in it. Web application programmers must continue to study all input and output, limiting characters to those that are essential to the functioning...