This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Format String"

From OWASP
Jump to: navigation, search
Line 38: Line 38:
 
[http://projects.webappsec.org/w/page/13246926/Format%20String WASC - Format String]
 
[http://projects.webappsec.org/w/page/13246926/Format%20String WASC - Format String]
  
[http://capec.mitre.org/data/definitions/339.html - CAPEC-339: WASC Threat Classification 2.0 - WASC-06 - Format String]
+
[http://capec.mitre.org/data/definitions/339.html CAPEC-339: WASC Threat Classification 2.0 - WASC-06 - Format String]
  
 
[http://cwe.mitre.org/data/definitions/134.html CWE-134: Uncontrolled Format String]
 
[http://cwe.mitre.org/data/definitions/134.html CWE-134: Uncontrolled Format String]

Revision as of 18:05, 21 July 2013

Return to Periodic Table Working View

Format String

Root Cause Summary

The root cause of the format string is attacker having the ability to control or write completely the format string used to format data input for some C,C++, and Assembly functions such as fprintf, printf, sprintf, setproctitle, and syslog, potentially leading to buffer overflows or data representation problems.

Browser / Standards Solution

None

Perimeter Solution

Alert and/or block on known format string signatures Generic Framework Solution Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

None

References

OWASP - Format String

OWASP Format string attack

OWASP - Testing for Format String

WASC - Format String

CAPEC-339: WASC Threat Classification 2.0 - WASC-06 - Format String

CWE-134: Uncontrolled Format String