Compiled software that runs in a native execution environment has historically been plagued by vulnerabilities like buffer overflows and format string bugs. The majority of web applications are written using languages and platforms that run in a managed execution environment in which these classic vulnerabilities do not arise. One of the most significant advantages of languages such as C# and Java is that programmers do not need to worry about the kind of buffer management and pointer arithmetic problems that have affected software developed in native languages such as C and C++, and have given rise to the majority of critical bugs found in that software.
Nevertheless, you may occasionally encounter web applications that are written in native code, and many applications written primarily using managed code contain portions of native code or call out to external components that run in an unmanaged context. Unless you know for certain that your target application does not contain any native code, it is worth performing some basic tests designed to uncover any classic vulnerabilities that may exist.
Web applications that run on hardware devices such as printers and switches very commonly contain some native code. Other likely targets include any page or script whose name includes possible indicators of native code, such as
exe, and any functionality known to call out to legacy external components, such as logging mechanisms. If you believe ...