Buffer Overflows

One of the most dangerous input attacks is a buffer overflow that clearly targets input fields in web apps. For example, a credit-reporting app might authenticate users before they are permitted to submit data or pull reports. The login form uses the following code to take user IDs with a maximum input of 12 characters, as indicated by the maxsize variable:

<form name=”Webauth” action=”www.app.com/log-in.cgi” method=”POST”>

<input type=”text” name=”input_name” maxsize=”12”>

A normal login session would require a valid login name of 12 characters or less. But, the maxsize variable can be modified to something large, such as 150 or even 1,000. Then a hacker can enter bogus data in the login field. What happens next is anyone’s visit — the application might hang, overwrite other data in memory, or crash the server.

Hackers usually use buffer overflows to corrupt the execution stack of a web app. By transferring fully crafted input to a web app, a hacker can make the web app to execute arbitrary code and probably taking over the server.

Buffer overflow vulnerabilities can exist in both the web server and the products of the application server that serve the static and dynamic parts of a website, or in the web app itself.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience