The format string vulnerability can happen when the data submitted by the user is read as a command by the program. It occurs when you use a format print statement (ex. printf()) in your code without using a parameter to check and convert the input by the user. For example, the wrong way to write a format print statement would be "printf(stringValue);" whereas the correct and more secure way would be to include a parameter in the format printf statement like so: "printf("%s", stringValue);." If an attacker was able to exploit this vulnerability, he or she would be able to execute code, read the stack, cause new behaviors that could affect the security and stability of the system, or completely crash the program and make it unavailable. For more information over the format string vulnerability, please visit the official OWASP page!
Reference: https://www.owasp.org/index.php/Format_string_attack
No comments:
Post a Comment