Last active
February 16, 2020 21:15
-
-
Save patrickceg/f29eb27abe2dc770a62f00ea80288ac2 to your computer and use it in GitHub Desktop.
OWASP WSTG Scratchpad
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For https://github.com/OWASP/wstg/issues/224 | |
----------------------------- | |
Rewrite Layout | |
----------------------------- | |
# Testing for Format String | |
## Summary | |
What is a format string vulnerability | |
Consequences: information disclosure for non-C, information disclosure or memory corruption for C | |
## Test Objectives | |
Check if there are any user-controlled inputs that append to or otherwise modify a format string | |
## How to Test | |
### Static Analysis | |
### Unit or Black Box Test Cases | |
## Remediation | |
Information disclosure or remote code execution | |
-- Article Rewrite -- | |
Description of issue: | |
- What it is: Talk about the append to format string in code | |
- Vunerability: | |
- For languages that don't care about number of values versus the string: Exposure of information | |
- For langauges that check number of items in format string versus args: Crash | |
- For C: Remote code execution or write to memory via %n | |
How to test: | |
- List of static analysis tools | |
- Tests (at unit or full system test level) that inject %s, {}, %n, etc to look for abnormalities | |
-- Current Article Contents -- | |
https://github.com/OWASP/wstg/blob/master/document/4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.14.3_Testing_for_Format_String.md | |
Stuff that can stay: | |
* All the items about ANSI C (other than possibly updating the links) | |
* Enumeration of stack | |
* "Black box testing" use case | |
* ITS4 static analysis tool or similar flagging the format string vulnerability | |
Oddities: | |
* "Black box testing" that really isn't black box because it goes into disassembling the program | |
* "Grey box testing" isn't grey because tools are looking at the source code rather than disasembly | |
-- Research Scratchpad -- | |
Other OWASP projects have old references as well: (2005) https://www.owasp.org/index.php/Format_string_attack | |
A ~2016 reference https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf | |
Wikipedia has a blog post reference https://en.wikipedia.org/wiki/Uncontrolled_format_string -> http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html | |
https://www.veracode.com/security/format-string | |
- | |
```"Prevalence: Very Low, Format String vulnerabilities are found in less than 1% of applications"``` | |
https://resources.infosecinstitute.com/buffer-overflow-format-string-attacks-basics-part-2/#article | |
- | |
https://cwe.mitre.org/data/definitions/134.html | |
```Research Gap | |
Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc."``` | |
https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/do-not-use-n-format-string-specifier | |
Has a Python example: https://www.netsparker.com/blog/web-security/string-concatenation-format-string-vulnerabilities/ | |
From 2013 https://www.fuzzysecurity.com/tutorials/expDev/10.html | |
https://www.youtube.com/watch?v=dJTANsVBo1U | |
- Root cause of vulnerability is allowing user input as the format string https://youtu.be/dJTANsVBo1U?t=532 | |
- "%n" in a C format string can write to memory https://youtu.be/dJTANsVBo1U?t=733 | |
Case of a format string vulnerability https://www.helpnetsecurity.com/2019/07/22/cve-2019-1579-poc/ | |
Java static analysis to detect format string https://find-sec-bugs.github.io/bugs.htm#FORMAT_STRING_MANIPULATION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment