Scribd
Upload
105 views

Buffer Overflows PDF

The document discusses buffer overflow attacks against web applications. It notes that attackers can send crafted input to a web application to cause it to execute arbitrary code and take over the machine. Buffer overflows can exist in web servers, application servers, or custom web application code. When web applications use third party libraries, they are vulnerable as well. Buffer overflows in custom code are harder to detect since there are fewer people searching for vulnerabilities. The WebGoat is introduced as a deliberately insecure web application for helping developers learn about security vulnerabilities. It contains exercises on topics like injection flaws, cross-site scripting, denial of service attacks, and more. Users can download the jar file, start the web server on port 8080

Uploaded by

Sridhar P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
105 views

Buffer Overflows PDF

The document discusses buffer overflow attacks against web applications. It notes that attackers can send crafted input to a web application to cause it to execute arbitrary code and take over the machine. Buffer overflows can exist in web servers, application servers, or custom web application code. When web applications use third party libraries, they are vulnerable as well. Buffer overflows in custom code are harder to detect since there are fewer people searching for vulnerabilities. The WebGoat is introduced as a deliberately insecure web application for helping developers learn about security vulnerabilities. It contains exercises on topics like injection flaws, cross-site scripting, denial of service attacks, and more. Users can download the jar file, start the web server on port 8080

Uploaded by

Sridhar P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Buffer Overflows

– Attackers use buffer overflows to corrupt the execution stack of a web application:

- By sending carefully crafted input to a web application, an attacker can cause the web application to
execute arbitrary code effectively taking over the machine.

- Buffer overflow flaws can be present in both the web server or application server products that serve the
static and dynamic aspects of the site, or the web application itself.

- When web applications use libraries, such as a graphics library to generate images, they open
themselves to potential buffer overflow attacks.

- Buffer overflows can also be found in custom web application code, and may even be more likely given
the lack of scrutiny that web applications typically go through.

- Buffer overflow flaws in custom web applications are less likely to be detected because there will
normally be far fewer hackers trying to find and exploit such flaws in a specific application.

WebGoat
The WebGoat, as a deliberately insecure web application, which is aimed at helping developers learn about
security vulnerabilities first hand by hacking the WebGoat.

It includes numerous exercises for topics ranging from Injection Flaws, over Cross-Site Scripting (XSS) to
Denial of Service and many others.

Download and Start the WebGoat

Download:---- webgoat-container-7.1-exec.jar and start it:

Install file by using:--- java -jar webgoat-container-7.1-exec.jar

This will start a Webserver on port 8080. You can access it via http://localhost:8080/WebGoat/

Login

First, we log in using the guest account.

Get comfortable with the UI

Then, we can have a look at the Tutorial with


lots of helpful tips on how to get started with the

WebGoat
- Once the web form is filled, a Price Plan is offered to be accepted by the guest:

- Entering 4097 characters all the hidden fields are revealed, containing the hard coded information related to
the VIP guests:
As we use web developer addon to view the weakness in form,
If we use 4097 characters in room number and press submit button then we can get multiple entries
to see the details. This is the method to get the data leakage.

3 - Launching the Buffer Overflow attack

- The challenge of the exercise is to reveal information and data about VIP guests, by taking
advantage of the Buffer Overflow vulnerability suffered by the application.

- The strategy is to test various character strings with different lengths (1025, 2049, 4097, ..) until you
find the one that causes the buffer overflow and therefore the disclosure of confidential information
stored by the vulnerable application.

You might also like