Dangerous Functions
Dangerous Functions in Programming: Identifying and Avoiding Risks
Handle Dangerous Functions SafelyTable of Contents
What are dangerous functions?
Dangerous functions are the root cause of all Application Security (AppSec) problems. In programming, “functions,” also known as procedures, methods, routines or subroutines, are a callable unit of code that has a well-defined behavior and can be invoked by other software. “Dangerous” functions are simply functions that perform a powerful task that could potentially cause harm if misused. A typical software stack will have thousands of these dangerous methods, to perform tasks such as creating files, parsing documents, executing native commands, deserializing objects and making database queries.
How are dangerous functions exploited?
Dangerous functions are little pieces of code that do dangerous things: for example, start operating system commands, execute SQL queries, parse XML documents, make a backend connection to an application programming interface (API), or encrypt or hash something. These functions are dangerous because they do things that can affect security. If an attacker could take control of one or more of these functions, they could cause harm to the company by exploiting the relevant application. There are thousands of dangerous functions available to developers across the application stack, rendering the scale of the AppSec problem enormous. .
Why are applications, APIs and open-source libraries easy to exploit?
There are thousands of dangerous methods in the typical software stack, and they are complex. It’s difficult for developers to know how to use them safely. These dangerous functions generally do not give developers any security guidance. There’s neither documentation nor compiler warnings to ensure that developers take the proper precautions. This virtually guarantees that there will be many vulnerabilities in production. And these functions typically do not detect or block attacks. This explains why so many applications, APIs and open-source libraries have so many vulnerabilities and why they are so easy to exploit.
What are dangerous JS functions and PHP functions?
Every language and framework has a huge list of these dangerous functions. Globally, JavaScript is one of the top most-used code languages among developers. As such, it makes dangerous js functions available to the developer, with neither indications nor documentation regarding their potential danger. When dangerous functions are used, there are no warning signs that their use could potentially allow attackers to take control of the application. The creation of vulnerabilities is inevitable, given the widespread use of these dangerous functions. Attackers are also targeting these dangerous functions in order to exploit those vulnerabilities.
The same applies to dangerous PHP functions — another coding language popular among developers globally.
How does Contrast Security protect dangerous functions?
Contrast Security has the only application security application security tool that addresses the root cause of this AppSec problem. Contrast Security adopts a zero-trust approach to application security through its Runtime Security product. Contrast’s Runtime Security platform unifies IAST (Interactive Application Security Testing), RASP (Runtime Application Self-Protection) and runtime SCA (Software Composition Analysis) into one product. It actively monitors and analyzes application behavior in real time, surrounding dangerous functions with trust boundaries, identifying vulnerabilities in the development and testing phase, and blocking attacks in production. We alert the developer when dangerous functions have been invoked without proper sanitization, and we give the developer instant feedback on vulnerabilities. Think of runtime security as adding a security boundary around each application that protects them in production and in the development phase.
Contrast Runtime Security puts in the right checks, in all the right places, to alert the developers of real vulnerabilities and to alert security teams of real attacks, giving them full context and insights into the application, the code, the library in use, the vulnerability and the attack.
Contrast is the clear customers’ choice
Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.
Built for Developers. Trusted by Security.
Learn Secure Code
CROSS SITE SCRIPTING (XSS)
Learn about Cross site scripting (XSS) and how it affects your Java source code
SQL INJECTION
Learn about SWL injection and how it affects your Java source code
CLIENT SIDE INJECTION
Learn about client-side injection and how it can affect your source code