In this video, learn about overflow attacks.
- [Instructor] Buffer overflow attacks also pose a danger to the security of web applications. When software engineers develop applications, they often set aside specific portions of memory to contain variable content. Users often provide answers to questions that are critical to the application's functioning and fill those memory buffers. If the developer fails to check that the input provided by the user is short enough to fit in the buffer, a buffer overflow occurs. The user content may overflow from the area reserved for input into an area used for other purposes and unexpected results may occur.
The easiest way to show this is with an example. So let's go back to WebGoat. You can see here that we have an application handling Wi-Fi charges for hotel rooms. I'm also going to start up the ZAP Proxy and then run through this page. I'm going to go ahead and enter my name and a hotel room number and then press submit. Here I am now in the ZAP Proxy, which has intercepted my request. I'm going to start walking through this step by step, and just review the contents of each of the intermediate pages.
Once I finish this, I return to the web browser and see that it's loaded a second page, step two, where it's asking me to accept the price plan. I go ahead and do that and here I am, back in the ZAP Proxy. Once again, I step through this and notice that the web application has placed my name and room number in hidden fields on this form, even though they didn't appear on the page that I just filled out. That's interesting. I'm going to go now and let this finish and return to the web application.
I'm going to restart it this time. Now I'm going to go ahead and type my name again, I'm going to attempt a buffer overflow attack this time. I'm going to assume that the web developers who created this application didn't put any limits on the room number that I can type in. I'm going to go ahead and type in a 4,097 digit room number. I just happen to have one saved already, which I'm going to copy and then paste into the room number field and press submit.
I've now got into the page where it's asking me to select a pricing plan. I'm going to go back to ZAP and tell it to intercept the next request. This time when I click accept terms, I go into ZAP and I can see that it's about to submit the very, very long room number to the web application, and I go ahead and let that happen. This time when I scroll down, I see that it does have my name and my very long room number in the results. If I keep scrolling down, I also notice that the web application has placed in here the names and room numbers of every other guest of the hotel.
I've successfully conducted a buffer overflow attack against this web application. In this example, you saw how a buffer overflow can result in unexpected behavior. More specifically, I exploited a type of buffer overflow known as an integer overflow. I put in a 4,000 character room number when accessing a hotel Wi-Fi page and wound up viewing a list of all of the guests staying in the hotel. The simple use of input validation limiting room numbers to three or four digits would have prevented this problem.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities