[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

Martin O'Neal martin.oneal at corsaire.com
Wed Mar 15 11:31:41 EST 2006


> I've been around for quite a while, and I can't remember the last 
> time I have seen a Buffer Overflow in a custom-built web application. 
> Anyone else?

Probably down to a combination of two things:

First may just be due to technology choices; many application are now
written wholly in VM'ed byte code which make this form of attack less
successful.  CGI/ISAPI technologies tend to be more susceptible, as the
code is closer to the platform, but from experience we are not seeing so
many of these deployed in the field.  They are still out there though.

Second is down to approach; the common web app assessment scenario is a
consultant working remotely from the target server platform.  Given the
right circumstances, the servers could easily be suffering from
protection faults as the result of overflown buffers, and the consultant
would be blissfully unaware of the fact.  How many reports have you seen
with a non-specific "application stopped responding when I did X" or
"when I did Y the server reported a generic 500 error"?  Without access
to the server/logs these could very easily be the result of something
more substantial.

Martin...




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list