I have a basic understanding on what data execution and prevention is and how it works in Windows, but I saw an article online (which I cannot seem to find anymore) mention that it can also be used on web applications to prevent privilege escalation, but it didn't go into depth about it after that.
So what I want to know: Is it possible to enforce data execution prevention on web applications to prevent privilege escalation and if so how would it be implemented?
Techniques like DEP, NX, PaX, W^X etc only help against a specific type of attacks which uses buffer overflows or similar. Usually web applications are written in higher level languages which are not prone to this type of attack. The typical server side attacks against web applications are SQL injection, local and remote file inclusion, broken authentication etc and in none of these cases DEP will help.
But, these attacks where DEP does not help usually result only in non-privileged access to the server system. In order to get system privileges the attacker then uses local exploits which often work because of buffer overflows or similar. And in this case DEP or similar techniques can make it harder for the attacker to get system privileges. Which means that it is not DEP for the web applications itself which helps but DEP for the locally installed programs and for the kernel.
Of course there are also cases where the web application itself might profit from DEP. This is the case for applications written in lower level languages like C and C++. Such applications are often found in embedded devices (router etc).
