Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Tod Harter (tharteraptusventures.com)
Date: Mon Mar 25 2002 - 15:43:00 CST
Seems to me that buffer overflows have more to do with web app frameworks
than with web app APPLICATION logic, in general. IE, you can't make a piece
of perl code that has buffer overflow problems, it just isn't possible (and
if you can its a problem with perl itself or one of the libs linked to it,
not with a perl application). Extended to mod_perl the point is that if
there's a buffer overflow its either perl, apache, or something linked to one
of the two, and no amount of application programmer coding is going to
eliminate the vulnerability. That isn't to say I shouldn't or can't test
inputs for size in perl and thus perhaps prevent a vulnerability from being
exploited. The point is I sure can't do anything about problems in Apache
itself (though perhaps I could hook certain handlers and create a defense
against some hacks). I think the point is that, at least with perl, if the
foundation is secure, the app will be also WRT to buffer overflows.
Java should be in a similar boat, you just can't build a buffer overflow vuln
in Java AFAIK.
On Thursday 21 March 2002 14:21, David Endler wrote:
> Input buffer overflow vulnerabilities continue to plaque the masses of
> popular web servers and applications. They often allow malicious worms
> (e.g. Code Red, Nimda, etc.) to propagate quickly and unhindered due to the
> exposure of many of these exploitable vulnerabilities on the Internet.
> * What is the best method for testing a web application for format
> string/buffer/heap overflows?
> * Black box pen testing will clearly take a different approach than source
> code analysis; what are the main steps involved in each (e.g. black box may
> include spidering a site, finding all web apps, finding all input points in
> a web app to test, determine element set and size of fault injection
> payload, etc.). How are these steps performed? What sort of
> responses/behavior from a web app will indicate a potential vulnerability?
> * What vendor or open source tools exist to automate some of these testing
> Please share your experience, points of view or thoughts and we will
> capture it for the Testing Framework project