Results 1 to 6 of 6

Thread: C++ web app best practices Share/Save - My123World.Com!

  1. #1

    C++ web app best practices

    Hello,

    Due to lack of documentation and 'NO tuts available'-state of cpp for web apps, it is difficult for me to understand , per say, security aspects.
    Facebook is using Hiphop PHP which has made it far more superior in handling so many requests, further after Google ditching python for cpp and Java(maybe a rumour but, very famous one) has created a drastic impact too.
    There are client enquiries who ask me for the same flavour that Google is using... However, I need to know what are the consequences of using CPP for web app development?
    So far by word of mouth I have heard / discussion with developers "while using php, asp, jsp, if compromised, you loose a site and possibly the server... but, when on direct cpp to c compiler, u dont loose website, you loose the entire server.... php jsp = sqli, csrf, etc... cpp = bof because, php goes via and works on diff OSI layer whereas CPP is quicker because, it has complete access to all resources" is this understanding correct?
    I want to get into production with CPP for web apps. Hiphop is a good alternative however, people also suggest that it is comparatively not stable enough as cppCMS.

    Please advice.
    31337 - 7H15 15 4n 4nn071ng!
    Study English - write Eleet

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    You would be interested in looking at ISAPI extension , http://www.codeproject.com/KB/ISAPI/...xtensions.aspx

    Huge site like Ebay and all run on this [https://scgi.ebay.in/ws/eBayISAPI.dll] , ISAPI had to deal with BOF kind of attacks before , I ain't heard of any latest bug in the following dll.
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Yes, this is what I concern was. The almighty Overflowing-tea-from-the-cup.
    Will have a look ISAPI but, right now am not into .net (I presume it has got to do with .net)...

    So, you do agree that BOF may be a threat ?
    31337 - 7H15 15 4n 4nn071ng!
    Study English - write Eleet

  4. #4
    The major difference is the cgi (cpp will be compiled to executable and then executable will become the CGI) forms a process in the server under webserver, while php and other most counterparts are executed under a thread by their corresponding interpreter.

    The downfalls like bufferoverflow/formatstring...etc are the problems of developers, they should code properly, otherwise there are problems with other technologies also.
    We should not criticize any technology, if it is developed then it might have some features. And there is none other higher level language with such a vast features and libraries as c/c++ have.

    ..."vinnu"

  5. #5
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    Quote Originally Posted by "vinnu" View Post
    The major difference is the cgi (cpp will be compiled to executable and then executable will become the CGI) forms a process in the server under webserver, while php and other most counterparts are executed under a thread by their corresponding interpreter.

    The downfalls like bufferoverflow/formatstring...etc are the problems of developers, they should code properly, otherwise there are problems with other technologies also.
    We should not criticize any technology, if it is developed then it might have some features. And there is none other higher level language with such a vast features and libraries as c/c++ have.

    ..."vinnu"
    I agree with your point buddy,

    we should not be blaming technology.

    however at same point there should be a limit on using technology at correct places.

    C/C++ suffers bufferoverflow and pointer related issues coz they are primerily intended for low level / system level task's. java does'nt have pointers as it wanted to be a app language. however the whole point here is use the language which you think is good then don't make a fuss out of it.


    also as far as web app in c, my personal opinion i would like to do that only if i have control over the whole server.
    I.E. my app itself is acting as a port 80 listener too... ....
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  6. #6
    Thanks Vinnu and Anant. :-)

    However, my main point was about the "best practices", as Vinnu said, it is developers fault and not technologies.
    I agree to it, which is why I am seeking guidance from citizens of Garage to help me with "best practices" like, how to sanitize, what could be done to minimize processing time, whitespaces, etc...
    31337 - 7H15 15 4n 4nn071ng!
    Study English - write Eleet

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •