- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Format String Vulnerability
What are Format String Attacks on Websites?
Programming languages often allow users to format output in various ways, or to insert one piece of data into another via a formatted string. A common example in system programming is displaying output to a user. You might have a print line function which also prints some user data to the screen:
printf("Welcome %s!", username);
If a user enters something like John, we would see the following output to the screen: "Welcome John!". However, if the input to the username variable is not validated, then a malicious attacker could execute what is known as a format string attack. The printf function shown above allows a number of control characters (like %s) to define the format of the data expected. If an attacker can insert additional control characters into the string, printf may look for data to insert into those placeholders, potentially reading in memory locations, or even executing arbitrary code.
Many discussions of format string attack vectors happen in the desktop software community, where older C commands such as printf are more common. However these functions have migrated to the internet as well, although most format string examples are more obscure then the one given above.
How Does this Impact my Security?
Format String attack vectors can lead to denial of service attacks in some cases as they can be used to corrupt memory on the server (which often leads to your webserver, such as IIS or Apache, crashing). In some cases, format string attacks can be used to steal data, or execute arbitrary code. Arbitrary code execution could allow an attacker to gain control of the webserver.
Preventing Format String Vulnerabilities
Format string attacks come about due to improperly escaped user input passed to a function which uses String formatters. This does not necessarily mean data sent back to the user or the screen, but could also be used in database calls, logging functions, or system calls. Usually, a percent sign (%) is used to indicate a string formatter, so escaping all % signs is a good place to start.
Generally, functions are hardened against format strings as they are discovered. In PHP, for example, the latest updates provide protection against recently discovered format string attack vectors. Updating your scripting language version to the latest version will generally provide the most protection against these kinds of attacks. Keep in mind, however, that code base upgrades may require changes in your existing application, so should be thoroughly tested before implementation.
Additional Resources
Find Format String Attack Vectors on Your Website
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including Format String Vulnerabilities. See how the Golem Scan can help your business today.
