CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks            9  1.4.12  Software Exploitation

Buffer Overflows 1 1.5  Malicious Code

Another class of software exploits you’re likely to run into if you administer a web server involve poorly programmed web applications that don’t sufficiently check the validity of the data provided to the application by the web user, before using that data in the program. You’ve probably seen your share of web applications before. The way most web applications work is that a user fills in some data on a web form (such as name and address for a mailing list) and clicks “submit”, or clicks on an “order” button next to an item on an e-commerce site … then the data is transmitted to the web server and the application picks up the data and uses it.

Just as programmers sometimes don’t anticipate the sheer magnitude of data a user would throw at a program (in a buffer overflow exploit), they sometimes don’t anticipate the creative types of data a user might type in to a web form field which asks for the user’s name. Depending on how thoroughly the application checks for invalid data, an attacker might be able to send data containing characters like a single quote mark, semi-colon, dashes, back quotes, percent signs or other characters or words which have special meaning to the web server, application running on the web server, or database and cause it to behave in unanticipated ways that allow the attacker to cause damage. In a particular exploit known as SQL injection, a user embeds database commands into data submitted to a web form.

A complete explanation of this is far beyond the scope of this book, but the exploitation of software vulnerabilities in web applications is becoming more and more common, and those who follow the field of computer security are citing it as an area of concern. For example, the most recent OpenHack challenge, OpenHack 4⁹⁶, in which systems are made available over the Internet and users are invited to challenge their security, focuses on application security and involves both Microsoft and Oracle applications.

The important thing to remember about software exploits is that you can help protect your systems against them by keeping the software you run up to date, and by educating programmers in your organization on how to write secure code. Two excellent references on this subject are: Writing Secure Code⁹⁷ by Michael Howard and David LeBlanc, the Open Web Application Security Project Guide⁹⁸, and Designing Secure Web-Based Applications for Microsoft Windows 2000⁹⁹ by Michael Howard et. al.

If you’re writing web applications, or know someone in your company who does, we can’t say it strongly enough -- THEY NEED THIS INFO. If they don’t think they need it, then, seriously, they REALLY need it, because it’s likely they’ve made a false assumption or two about what safe web application coding looks like.

Buffer Overflows 1 1.5  Malicious Code