The document discusses format string attacks, which exploit vulnerabilities in C functions that use unchecked user input as the format string parameter. A malicious user can use special format string tokens like %s and %x to print data from the call stack or write to arbitrary memory locations using %n. This allows attackers to execute arbitrary code, read sensitive data, or crash applications. The document provides examples of how format strings work and how buffer overflows can be caused when more data is written than the buffer can hold, overwriting adjacent memory.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Lesson 10. Pattern 2. Functions with variable number of argumentsPVS-Studio
Typical examples given in most articles on the issues of porting programs to 64-bit systems refer to incorrect use of the functions printf, scanf and their variants.
Fundamental of C Programming Language and Basic Input/Output Functionimtiazalijoono
Fundamental of C Programming Language
and
Basic Input/Output Function
contents
C Development Environment
C Program Structure
Basic Data Types
Input/Output function
Common Programming Error
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
2. Basics
A format specifier is used to tell the compiler what type of data the program is taking as an input or
output. They usually begin with ‘%’ character.
Format specifiers indicate the location and method to translate a piece of data (such as a number) to
characters. Ex: %s, %d, %f, etc.
A format string refers to a control parameter used by a class of functions in the input/output libraries of C
and many other programming languages. These statements contain format specifiers.
Example of a statement
containing format specifiers
3. Introduction
An uncontrolled format string is a software vulnerability discovered in the late ‘80s that can be used to
crash the program or make it execute harmful code.
Attacking by exploiting an uncontrolled format string is known as a Format String Attack.
Most of these attacks are executed in ANSI C as the problem stems from the use of unchecked user input
as the format string parameter in certain functions that perform formatting, such as ‘print(f)’.
A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or
possibly other locations in memory.
One may also write arbitrary data to arbitrary locations using the %n format token, which
commands printf() and similar functions to write the number of bytes formatted to an address stored on
the stack.
In essence, the format string exploit occurs when the submitted data of an input string is compiled as a
command by the application. So, the attacker could execute code, read the stack, or cause a segmentation
fault in the running application, causing new behaviors that could compromise the security or the stability
of the system.
4. Components
It is important to identify, locate and understand the attack. To understand the attack, it’s necessary to
understand the components that constitute it.
The Format Function is an ANSI C conversion function, like printf, fprintf, which converts a primitive
variable of the programming language into a human-readable string representation.
The Format String is the argument of the Format Function and is an ASCII Z string which contains text and
format parameters, like: printf("The magic number is: %dn", 1911);
The Format String Parameter, like %x, %s defines the type of conversion of the format function.
Some examples of
Format Functions,
which if not treated,
can be attacked
To verify if the format
function accepts and
parses the format
string parameters.
5. Uncommon Formats and Format Options
In order to full leverage the power of the format, we need to review the full list of formats and format options.
%n : Saving the Number of Bytes:
Format printing services allows you to save the total bytes formatted into a variable. There is a decent
chance you've never heard of this format, but it actually is surprisingly useful for certain tasks. For example,
given a format and its arguments, it is not obvious how to determine how long the output is until it actually
formatted. Here's a basic example, of using %n:
%n format matches to an address, in particular an address of an integer, at which the number of bytes
formatted up to that point are stored. So, for example, running this program, we get:
6. Note that the %n character is not actually produced in the output: it is not printable. Instead, it only
has a side effect. Ok, so why does this format exist? Well, there are some really practical uses, for
example, consider counting the digits of a number read in using scanf():
7. Format Flag and Argument Options:
Another tool of formats we will need is some of the extra options for formats to better manipulate the
format output. So far you are fairly familiar with the conversion formats:
•%d : signed number
•%u : unsigned number
•%x : hexadecimal number
•%f : floating point number
•%s : string conversion
What you might not be aware is there is a wealth more options to change the formatting. Here's a sample
program that will illuminate some of these, so called "flag" options:
8. * The first flag option is the "#" which is used to add prefix formatting. In the case of printing in hexadecimal it
will add '0x' to the start of non-zero values. That's pretty useful.
* The next option is adding a number prior to the conversion argument, as in %#50x. This conversion will right
adjust the format such that the entirety of the number takes up 50 hex digits. If you were to add a leading 0 to the
adjustment, as in %#050x, the format will fill those blank spaces with 0’s.
* Perhaps the least familiar option you've seen is the m$ format where m is some number, allows you to refer to
a specific argument being passed. In the example above, we refer to the same argument twice using two different
conversion formats to follow. This is really useful to not have to pass the same argument multiple times; however,
when you use the $ references, you have to do for all the format arguments.
* Finally, we have the half-conversion option h which says to only convert half the typical size. In this case, since
we are working with 4-byte integer values, that would mean to format a 2-byte short size value when using one h,
or a single char length 1-byte value with two, hh.
9. Flag Options for Strings:
With strings, things are similar but a bit different. Here's some example code:
* Like with numbers, we can specify a length flag to right adjust the string up to some specified size,
but we can't fill in that with 0's. Instead the space is filled with spaces.
* Unlike with integer numbers (but can be done with float numbers) we can also truncate the length of
the format if we use the . option. The number following the . says how many bytes from the string should
be used, and this can be combined with the right adjustment. And, interestingly, the right adjustment can
be flipped to left adjustment with a negative sign.
10. Buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a
program , while writing data to a buffer, it overruns the buffer's boundary
and overwrites adjacent memory locations.
Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to
another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one
assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an
anomalous transaction that produces more data could cause it to write past the end of the buffer.
If this overwrites adjacent data or executable code, this may result in erratic program behavior, including
memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a
well-known security exploit.
Programming languages commonly associated with buffer overflows include C and C++ which provide no
built-in protection against accessing or overwriting data in any part of memory and do not automatically
check that data written to an array is within the boundaries of that array. Bounds checking can prevent
buffer overflows, but requires additional code and processing time
11. Example for Buffer overflow
In the following example expressed in C, a program has two variables which are adjacent in memory: an 8-
byte-long string buffer, A, and an unsigned integer, B.
Initially, A contains nothing but zero bytes, and B contains the number 1979.
Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in the A
buffer.
"excessive" is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only
8 bytes. By failing to check the length of the string, it also overwrites the value of B
12. B's value has now been inadvertently replaced by a number formed from part of the character string. In
this example "e" followed by a zero byte would become 25856.
Writing data past the end of allocated memory can sometimes be detected by the operating system to
generate a segmentation fault error that terminates the process.
To prevent the buffer overflow from happening in this example, the call to strcpy could be replaced with
strlcpy, which takes the maximum capacity of A (including a null-termination character) as an additional
parameter and ensures that no more than this amount of data is written to A:
When available, the strlcpy library function is preferred over strncpy which does not null-terminate the
destination buffer if the source string's length is greater than or equal to the size of the buffer (the third
argument passed to the function), therefore A may not be null-terminated and cannot be treated as a valid
C-style string.
13. Using formats in an exploit
Now that we've had a whirl-wind tour of formats you've never heard of nor ever really wanted to use, how
can we use them in an exploit. Here's the program we are going to exploit.
This is a rather contrived example of using sprintf() to do a copy. One may think because
in the first sprintf() the %.400s format is used, this would not enable a overflow of buffer or
outbuff. For example, this does not cause a segmentation fault:
True, we can't overflow buffer, but we can overflow outbuff because buffer is treated as
the format character. For example, what if the input was like:
And if we look at the dmesg output: [dmesg is a command on most Unix-like operating systems that prints
the message buffer of the kernel]
We see that we overwrote the instruction pointer with a bunch of 0x20 bytes, or spaces!
Now, the goal is to overwrite the return address with something useful, like the address of
bad().
14. To do this, we need to do the right number of extended format to hit the return address, We can do this by first using 0xdeadbeef and
checking the dmesg output:
So if we use a 505 byte length %d format, the next 4-bytes we write is the return address. And adding that, we get what we want:
We can also get this to execute a shell in the normal way
15. Preventing Format String Vulnerabilities
Always specify a format string as part of program, not as an input. Most format string vulnerabilities are
solved by specifying “%s” as format string and not using the data string as format string
If possible, make the format string a constant. Extract all the variable parts as other arguments to the call.
Difficult to do with some internationalization libraries
If the above two practices are not possible, use defenses such as Format_Guard . Rare at design time.
Perhaps a way to keep using a legacy application and keep costs down .Increase trust that a third-party
application will be safe