OWASP WSTG Scratchpad

wstg224.txt

For https://github.com/OWASP/wstg/issues/224

-----------------------------
Rewrite Layout
-----------------------------

# Testing for Format String

## Summary

What is a format string vulnerability

Consequences: information disclosure for non-C, information disclosure or memory corruption for C

## Test Objectives

Check if there are any user-controlled inputs that append to or otherwise modify a format string

## How to Test

### Static Analysis

### Unit or Black Box Test Cases

## Remediation

Information disclosure or remote code execution

-- Article Rewrite --

Description of issue: 

- What it is: Talk about the append to format string in code
- Vunerability:
  - For languages that don't care about number of values versus the string: Exposure of information
  - For langauges that check number of items in format string versus args: Crash
  - For C: Remote code execution or write to memory via %n

How to test:
  - List of static analysis tools
  - Tests (at unit or full system test level) that inject %s, {}, %n, etc to look for abnormalities

-- Current Article Contents --

https://github.com/OWASP/wstg/blob/master/document/4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.14.3_Testing_for_Format_String.md

Stuff that can stay:

* All the items about ANSI C (other than possibly updating the links)
* Enumeration of stack
* "Black box testing" use case
* ITS4 static analysis tool or similar flagging the format string vulnerability

Oddities:

* "Black box testing" that really isn't black box because it goes into disassembling the program
* "Grey box testing" isn't grey because tools are looking at the source code rather than disasembly

-- Research Scratchpad --

Other OWASP projects have old references as well: (2005) https://www.owasp.org/index.php/Format_string_attack

A ~2016 reference https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf

Wikipedia has a blog post reference https://en.wikipedia.org/wiki/Uncontrolled_format_string -> http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html

https://www.veracode.com/security/format-string

-

```"Prevalence: Very Low, Format String vulnerabilities are found in less than 1% of applications"```

https://resources.infosecinstitute.com/buffer-overflow-format-string-attacks-basics-part-2/#article

-

https://cwe.mitre.org/data/definitions/134.html

```Research Gap

Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc."```

https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/do-not-use-n-format-string-specifier

Has a Python example: https://www.netsparker.com/blog/web-security/string-concatenation-format-string-vulnerabilities/

From 2013 https://www.fuzzysecurity.com/tutorials/expDev/10.html

https://www.youtube.com/watch?v=dJTANsVBo1U
- Root cause of vulnerability is allowing user input as the format string https://youtu.be/dJTANsVBo1U?t=532
- "%n" in a C format string can write to memory https://youtu.be/dJTANsVBo1U?t=733


Case of a format string vulnerability https://www.helpnetsecurity.com/2019/07/22/cve-2019-1579-poc/


Java static analysis to detect format string https://find-sec-bugs.github.io/bugs.htm#FORMAT_STRING_MANIPULATION