Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Testing for buffer overflows

From: DownBload <downbload () hotmail com>
Date: 23 Jul 2003 22:04:38 -0000
In-Reply-To: <001a01c35118$aadcd510$e91f9bd9@solve1>


Hello all,

I would like some advice on how to go about having an application
tested for buffer overflows. Are there any tools available ? Are there
people who can do the testing on my behalf ?

Do you need more information first ?

I look forward to your replies.

David Stout
CCSP, CCNA, CRCP, INFOSEC


It isn't easy to find all buffer overflow vulnerabilities in some 
application. Some buffer overflows are very easy to spot -  just 'grep' 
application source for vulnerable functions like strcpy, strcat, sprintf 
etc. But there are still other kind of buffer overflows that are very hard 
to find. For example: integer overflows, off-by-one etc.
If you don't have application source code, it is much harder to find 
buffer overflow. In that case, you should give very long strings or very 
large numbers to application input. 
There are tools for finding buffer overflows... use www.google.com :)

DownBload / Illegal Instruction Labs <www.kamikaza.org>

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: