This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Format String"
David Fern (talk | contribs) |
David Fern (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 15: | Line 15: | ||
Alert and/or block on known format string signatures | Alert and/or block on known format string signatures | ||
Generic Framework Solution Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead. | Generic Framework Solution Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead. | ||
+ | |||
+ | == Generic Framework Solution == | ||
+ | |||
+ | Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead. | ||
== Custom Framework Solution == | == Custom Framework Solution == | ||
Line 38: | Line 42: | ||
[http://projects.webappsec.org/w/page/13246926/Format%20String WASC - Format String] | [http://projects.webappsec.org/w/page/13246926/Format%20String WASC - Format String] | ||
− | [http://capec.mitre.org/data/definitions/339.html | + | [http://capec.mitre.org/data/definitions/339.html CAPEC-339: WASC Threat Classification 2.0 - WASC-06 - Format String] |
[http://cwe.mitre.org/data/definitions/134.html CWE-134: Uncontrolled Format String] | [http://cwe.mitre.org/data/definitions/134.html CWE-134: Uncontrolled Format String] |
Latest revision as of 18:09, 21 July 2013
Return to Periodic Table Working View
Format String
Root Cause Summary
The root cause of the format string is attacker having the ability to control or write completely the format string used to format data input for some C,C++, and Assembly functions such as fprintf, printf, sprintf, setproctitle, and syslog, potentially leading to buffer overflows or data representation problems.
Browser / Standards Solution
None
Perimeter Solution
Alert and/or block on known format string signatures Generic Framework Solution Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.
Generic Framework Solution
Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
None
References
OWASP - Testing for Format String
CAPEC-339: WASC Threat Classification 2.0 - WASC-06 - Format String