OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tod Harter (tharteraptusventures.com)
Date: Mon Mar 25 2002 - 15:43:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Seems to me that buffer overflows have more to do with web app frameworks
    than with web app APPLICATION logic, in general. IE, you can't make a piece
    of perl code that has buffer overflow problems, it just isn't possible (and
    if you can its a problem with perl itself or one of the libs linked to it,
    not with a perl application). Extended to mod_perl the point is that if
    there's a buffer overflow its either perl, apache, or something linked to one
    of the two, and no amount of application programmer coding is going to
    eliminate the vulnerability. That isn't to say I shouldn't or can't test
    inputs for size in perl and thus perhaps prevent a vulnerability from being
    exploited. The point is I sure can't do anything about problems in Apache
    itself (though perhaps I could hook certain handlers and create a defense
    against some hacks). I think the point is that, at least with perl, if the
    foundation is secure, the app will be also WRT to buffer overflows.

    Java should be in a similar boat, you just can't build a buffer overflow vuln
    in Java AFAIK.

    On Thursday 21 March 2002 14:21, David Endler wrote:
    > Input buffer overflow vulnerabilities continue to plaque the masses of
    > popular web servers and applications. They often allow malicious worms
    > (e.g. Code Red, Nimda, etc.) to propagate quickly and unhindered due to the
    > exposure of many of these exploitable vulnerabilities on the Internet.
    >
    > * What is the best method for testing a web application for format
    > string/buffer/heap overflows?
    >
    > * Black box pen testing will clearly take a different approach than source
    > code analysis; what are the main steps involved in each (e.g. black box may
    > include spidering a site, finding all web apps, finding all input points in
    > a web app to test, determine element set and size of fault injection
    > payload, etc.). How are these steps performed? What sort of
    > responses/behavior from a web app will indicate a potential vulnerability?
    >
    > * What vendor or open source tools exist to automate some of these testing
    > functions?
    >
    > Please share your experience, points of view or thoughts and we will
    > capture it for the Testing Framework project
    > (http://www.owasp.org/testing/index.shtml).
    >
    > -dave