Buffer Overflows

Overview of the attack

Buffer overflow attacks affect memory outside that allocated to particular variables. This may lead to complete compromise of the website and web server. However, due to the difficulty of execution in web environments, this type of attack is seen as a relatively minor risk compared to attacks such as cross-site scripting and SQL injection.

What makes a site vulnerable?

A site may be vulnerable to buffer overflow attacks if it uses user-input in calls to functions which do not guarantee adequate memory is allocated for all the input. When this is the case, the input may spill over into memory allocated for other purposes. By overwriting this memory, the attacker may be able to affect the operation of the website and underlying web server.

Impact of the attack

As is the case in non-web software, a successful buffer overflow attack against a web-application can be very damaging. In particular, the attacker may be able to execute arbitrary code on the web server. This will potentially allow him to take full control over the website and server. The attacker may also be able to crash the web server. Despite the high potential for damage, buffer overflows are generally considered to pose a minor threat to website security. This is because, unlike for non-web software, it is particularly difficult to carry out a successful buffer overflow against a website. This is due in part to the fact that constructing a successful exploit usually requires the ability to observe the effect of intermediate attempts on memory, something an attacker does not have access to in the typical website attack scenario.

Preventing the attack

To prevent buffer overflows it is advisable to avoid using user-supplied input in calls to functions which do not place bounds on memory. If this is unavoidable, then the website should implement its own restrictions on the length of the resultant data to be written to memory, to ensure that it does not exceed the allocated space. An alternative method of prevention is to use programming languages such as Java and Python which operate in an interpreted environment, which will ensure code is free from buffer overflows except for any such vulnerabilities in the interpreter itself.