[filleokus]

If I remember correctly e.g Django and Flask uses plain old python-files for configs. Don’t know if it’s common in the Node landscape but probably?

I don’t know how common it is to specify paths to/file name for DLL’s in config to load at runtime for C#, but probably not totally unheard of? And if you can edit the config, maybe you can place a DLL somewhere as well…?

(But at the some time if you can edit the config, maybe you can just replace/patch the main binary in the first place…)

[teh_klev]

You can configure ASP.NET to load HTTP Handlers and Modules for use in the request/response pipeline via the web.config file (from the file system, not over HTTP).

But if your attacker has gotten so far as to be able to tamper with these config files then it's probably game-over already.

[capableweb]

> Don’t know if it’s common in the Node landscape but probably?

Webpack is (arguably) one of the most common tools in the nodejs/browser ecosystem, and it has a regular JS file as it's config file (usually named `webpack.config.js`).

[johnisgood]

I am still stuck at using INI/JSON/TOML for configuration files. :D

[capableweb]

Just remember that just because you're using .ini/.json/.toml files doesn't mean there isn't any way of executing code from changing their values, it's up to whatever is using the files if there is any way of executing code via them.

One example is package.json. It's a JSON file, yeah, and normally doesn't contain any code. But one of the fields is `scripts` which can contain a object with a key like `preinstall` (and more) that runs those as shell commands at different lifecycle of using `npm`.

So just because you're using those languages/syntaxes, doesn't mean there isn't any way of executing code via them.

[johnisgood]

That is fairs and true. :) Thanks!