Testing Tips

Some of this chapter focuses on how format string attacks work, and testing for format string vulnerabilities is usually fairly straightforward. Keep the following tips in mind when formulating your security testing strategy and specific test cases.

  • Remember to try more than one type of format string and use long series of specifiers.

  • Using the %s or %n specifiers can generate an exception, but the exception might be handled by the application. Catching this might require attaching a debugger to the program.

  • In addition to code review and manual testing, don t forget to include format string test cases in automation runs and fuzzing. Start out with single format specifiers (such as %x , %d , %s , and %n ) in your input. Don t forget to try longer series of format string specifiers as well (%s%s%s %s or %n%n%n %n ).

  • Figure out which components are written in C or C++ and might use format string specifiers with untrustworthy input, and test those first.

  • Keep in mind other places might have similar bugs to the format string specifier . Be on the lookout for similar issues.

  • Some format string vulnerabilities might be in code that has a defined exception handler, and they will not crash. Like overruns, these vulnerabilities are exploitable anyhow. Set a breakpoint on the exception handler or look for first-chance exceptions.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net