The trick to finding buffer overflows on web applications is to do the
following:
1. Identify what publicly available libraries or code the web application is
running.
2. Download that code.
3. Test that code on your local machine to ?¬? nd a buffer over?¬‚ ow.
4. Develop exploit code that works on your local machine.
5. Attempt to execute the exploit code on the web application.
Preventing Buffer Over?¬‚ ows
The easiest step is to avoid developing frontend web applications with C and C++. The
speed increase is nominal compared to delays in Internet communication. If you must
use code written in C or C++, minimize the amount of code used and perform sanity
checks on user input before sending it onto the C or C++ derived code.
If you can??™t avoid programming in C or C++, you can take basic steps to prevent
some buffer overflows, such as compiling your code with stack protection. You can, for
example, use the /GS flag when compiling C and C++ code in Visual Studio, and use
??“fstack-protector in SSP (also known as ProPolice)-enabled versions of gcc.
18 Hacking Exposed Web 2.0
TESTING FOR INJECTION EXPOSURES
Now that you understand the basics of SQL injection, LDAP injection, XPATH injection,
and OS command injection, it is important that you test you web applications to verify
their security.
Pages:
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82