[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Jeremiah Grossman writes about buffer overflow myths

From: "Davidson, Michelle" <MDavidson@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Jeremiah Grossman writes about buffer overflow myths
Date: Tue, 14 Mar 2006 08:45:55 -0500
------_=_NextPart_001_01C6476D.9E7C3A10
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_002_01C6476D.9E7C3A10"


------_=_NextPart_002_01C6476D.9E7C3A10
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=20

=20

=20

Jeremiah Grossman has written a column for SearchAppSecurity.com on the
realities of buffer overflows. Take a look:

=20

=20

Myth-busting Web application buffer overflows

http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1172478,00
.html

=20

If someone managed to exploit a buffer overflow in a Web application, it
would result in a critical situation. But the chance of that happening
to a custom Web application is slim. Focus instead on cross-site
scripting and SQL injection vulnerabilities,
authentication/authorization loopholes, and business logic flaws.

=20

=20

=20

=20

Michelle Davidson

Editor

SearchAppSecurity.com

TechTarget

=20

4025 Sea Grape Circle

Delray Beach, FL  33445

=20

Phone: 561-302-1120

Fax: 561-496-1860

AIM: MicheDav910

=20

TechTarget=20
The Most Targeted IT Media=20
www.techtarget.com <http://www.techtarget.com/> =20

=20


------_=_NextPart_002_01C6476D.9E7C3A10
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PostalCode"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"State" =
downloadurl=3D"http://www.5iamas-microsoft-com:office:smarttags"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"City" =
downloadurl=3D"http://www.5iamas-microsoft-com:office:smarttags"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place" downloadurl=3D"http://www.5iantlavalamp.com/"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"address"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Trebuchet MS";
	panose-1:2 11 6 3 2 2 2 2 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Trebuchet MS";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><img width=3D180 height=3D33 id=3D"_x0000_i1025"
src=3D"cid:image001.gif@01C64743.910654D0";><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Jeremiah Grossman has written a column for
SearchAppSecurity.com on the realities of buffer overflows. Take a =
look:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Myth-busting Web application buffer =
overflows<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a
href=3D"http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci117=
2478,00.html">http://searchappsecurity.techtarget.com/tip/1,289483,sid92_=
gci1172478,00.html</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>If someone managed to exploit a buffer overflow in a =
Web
application, it would result in a critical situation. But the chance of =
that
happening to a custom Web application is slim. Focus instead on =
cross-site
scripting and SQL injection vulnerabilities, =
authentication/authorization
loopholes, and business logic flaws.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><strong><b><font size=3D3 face=3D"Trebuchet =
MS"><span
style=3D'font-size:12.0pt;font-family:"Trebuchet MS"'>Michelle =
Davidson</span></font></b></strong><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>Editor</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>SearchAppSecurity.com</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>TechTarget</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Trebuchet MS"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:Street w:st=3D"on"><st1:address =
w:st=3D"on"><font size=3D2
  face=3D"Trebuchet MS"><span style=3D'font-size:10.0pt'>4025 Sea Grape =
Circle</span></font></st1:address></st1:Street><o:p></o:p></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:City w:st=3D"on"><font =
size=3D2
  face=3D"Trebuchet MS"><span style=3D'font-size:10.0pt'>Delray =
Beach</span></font></st1:City><font
 size=3D2><span style=3D'font-size:10.0pt'>, <st1:State =
w:st=3D"on">FL</st1:State>&nbsp;
 <st1:PostalCode =
w:st=3D"on">33445</st1:PostalCode></span></font></st1:place><o:p></o:p></=
p>

<p class=3DMsoNormal><font size=3D3 face=3D"Trebuchet MS"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>Phone: 561-302-1120</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>Fax: 561-496-1860</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Trebuchet MS"><span =
style=3D'font-size:
10.0pt'>AIM: MicheDav910</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Trebuchet MS"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><span class=3Dstyle171><font size=3D3 =
face=3D"Trebuchet MS"><span
style=3D'font-size:12.0pt'>TechTarget </span></font></span><font =
size=3D2><span
style=3D'font-size:10.0pt'><br>
</span></font><span class=3Dstyle171>The Most Targeted IT =
Media<O:P></O:P> <a
href=3D"http://www.techtarget.com/"; =
title=3D"http://www.techtarget.com/";><br
title=3D"http://www.techtarget.com/";>
<font size=3D2><span =
style=3D'font-size:10.0pt'>www.techtarget.com</span></font></a><O:P></O:P=
><O:P></O:P>
</span><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Trebuchet MS"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_002_01C6476D.9E7C3A10--

------_=_NextPart_001_01C6476D.9E7C3A10
Content-Type: image/gif;
	name="image001.gif"
Content-Transfer-Encoding: base64
Content-ID: <image001.gif@01C64743.910654D0>
Content-Description: image001.gif
Content-Location: image001.gif

R0lGODlhtAAhAOYAACRvkx1qjyRwlBUsQhQmPCFskSVxlhUxSM7IsiRtkSZ0miZzmCVwlCJmiBk+
WSVyl0iGpAMHCBc2Th5VdSNpjRhmjBg5U8rFryBegCFjhB9rjyFhgiBdfQcUGunx9NHMtR5UchxN
aiNrjhxJZTt9nRtFYQ9ghxQ/UyJoih1QbhpCXQQNETV5mtnm7AkcJQsjLh5ScCBaenmmvKfF036p
v3WjurzT3h5ZeA4rOSNskPX4+lSOqipyleLs8ViRrCd3nSJkhiZ2nCBbfBNjimudtTF3mO/19yBr
kG6ft9bRuouyxS4tKSVvk5eTgh9Yd1yUrhcXFZy+ziVyloSuwvv9/ZK3yMrc5USDoglchGhmWpa6
yx9gf3GhuLm1oKKejLHM2PP2+GWZssK+qK6ql0RCPfn7/GGXsVCLqIuIex1YdQ8PDXd0aUyJpl5b
UVFPRvf6+4B+ciAgHT+AnygnIyRskECBoC50l9bW1hZSdCRsjyRyliRvlf///wAAACRukgAAACH5
BAAAAAAALAAAAAC0ACEAAAf/gH6Cg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goAAGCwpB
P6ipP0EKCwYAobGys5YGpn4bICEqJ72+JyUhaRkPQQsMtMnKygAMUgIxJzguHRF919jZESsdLwcq
Gw8GDLDL5ueWAA8PORMH1dnx8vIrLidbCa7o+/yLrhwnXMwbSDDeixIZFDzox7AfAwVpcKyYt+LF
C2sFO0zDGK+DhC0KyjUcOcvAAw4S5bmQACMDCBccB6440GBLCAkd6NE8RrKnJwEKgByIGcEehgQA
fgiZeE0NGThNomZZku3Ag5AihOCMuUKFiAUifYqlZMBPiZzYOgxIY1LAKCBo//uQ8fLhA4K7Hy7A
iYPtwKtmDwSkSIntBQieYxNDetAAR7YO91oNYrLH8bU2F/LevXvhQpIxVK+FUEBIgYEbQ7FFsJBA
gOLXixikiRvhBAqFhRSEwOZm84UuTdB4EYPA8xi+fVxQQDYIwL8BHF9sYQ67emm0EXAQo95cgOU4
XexeyMJxSZO8SdZgS7HA0KjTL7DhCGK9viAFOV2EWOD6kIENaGWRRGdtyKNGE8WJMcc1EriFiAFM
qDDRCz/YVx9+ONwWViELpNGUFwh80AQ2UITWxxJieFZgchTAkkAAMAZQgCAPceAChZEwwR0hAPQn
SY8MOJgJLBvKwgAIOZSlyP8Du/UBRXEXrLjEHTqggQ2ICFjZRwcoMFBAACRAAIEcdjAxCGNsQVKB
FkaEEUAhAFDQwCQGUJBBBkBQkAAmAGQAznvJkMOIASdc82RnblwDBx+MQnENGnd5cQ2XzUzhAaNl
fMGCBs3tyEgFUfBBxJvNMVHCARj42AgDGFhAwKsSCKFkJQxMQAB7GxzV0wMjGJrXBYnKxegdGCGY
5aQoBPAEHx7QQIMNNvhRwJcyClKABgFosOeXX24L4xGgUhFGBdX6IcUGBxCgQnt+AOCuAEK626O7
ebhawgQjWMCBa/OW06OD87bbn1s9UnADCg+oIIEIBAvi7iAJUHuEtTDOKK3/BgUcEcARCWg8cSQL
TNDUGHepdw0ZayAHRRchrqhcBVPwYcMQJvBQBLYQKDGFHBiTQIMWYTBRgRlK+ExCBVdMoYUZAURB
BRFPKAEBpwakQIAEEqAgQAK5ZhCCE3QIQAEHGcQQAjENHDAACkHUiVQCMYwQAx3uogDDCE7kgEIM
WgMRgwgUwMABB064tIEIFhwwARBCZLB1DBlYW0DOVTzhB5hTTEFCtiSEwcIOVfhwhA9K+GDxIw9s
wdQaSSDQhYnZrFEcAqEN4IcGdfTAxxc7kBsAEmC00IMHELChgwct8EEDFjPIzMcOSPBhhPBXVFFG
Cx680QILBSBuwQQDgKBA/w4ODHCABASUIAUHA5ivtqwjXD1BPgDkUMIAFgygAgM3tC/BABuw1QR0
QwAMpM1VDoDBAGCQgvYdIAYHYA0HCHCYBGggZh4YHgvYMDwPeMAHJpABH6zgQR3MwANGeAMETtcI
JgDAMigKEWi0kQXiJAENGNnP5XZgBT7oQAtFYIERbFAAFuxuBzMgQR10YAPm8aEHU7jC9M7wuTXx
oQUQsIEOfBCADRAABn7QnwDo4AAKUqCMGcDAACTgtzUaQAQjGAABHIABBVjNCboZgBPyxwEKYEAK
ICDAAENQwAagzwEcAF8KDOAANgqAkBw4FRAYEAA2TA8CJGBDEawAhjPsIP+DFRBhD3ZAA2btQAt8
kAGpHqGAXl0jC3b5QBfg4AYyZAFLslzQlhpQlgIMgQc0uFQUuECFHkBrhDzgARFsUIYmNo8IWCAC
H6pgAg1UAFR8QAIWvgAGLsbPASM4wAEyAAAHHIACP7AVDNQ4ggcsIH8IEwAGyiiBBqhgjo0cgDlL
8IBRhEyQQSCkAcWZAAWAYAApCILCRPCADOjvAA4wgC9rwAcuVEADQ4AAH2YQABOE6goUlQEWuDBN
LCiBDzVYpSPcJZBrrMEuIboAcdAjBjJgowSkSQAP7EAzElzPaTN4ghl2AAEf9KAFM2CiE9lQgehR
85rhCsMQuOmDCqhNnOn/AoEfzEmBIATSCezkT/5EwLBW3DMFZYyBEDgQwAHw0wC2sJUTghC/gVpg
FAdNgQIamYCylIAAegQAD0KI0iFUYAhX2GhHQyUHihLBBBSdgglOmlJJnIYjWehCEmCKgM16wabX
eIEfzFQBGliBBj4oZQueYAQrjAkJoBMVEspghSE07wwBKAIYevCEM3CBB1p42lS7iQe3UgAFGIig
CMonhA38z4/6bAAM0nfGEQhBCK4y2xcbsAEYNCB/kAOjrVJw0EJG0A8GyOteD+DdBbBvbUj4whWk
2AIfnKEGLLACFYQKShEiAbJ8UMJkUapSVo6AI3PIQhPGwGBaqqEwDUDG/4tqYARG8QEMMigtH95w
qSqYQQet9YAOeNC8HWhstj5UISofa4P9ou+PAmDAPTlQxvYN4AbudSABLCCC777qVSrIwRkJcNU0
ylGOGNiA/9DHgQOiN5Cjid8XF5CBA5QgAM3LcCmpoIMykOAKLdCB9s5gglJygbACrkIqC/yIBYyA
KU2BgpwN0gB2jZYHnZNBGOowLQ1AoAY1gEARmMAGLlyBBGbwQ5h4kIAXQYALMoAAD1gg6AKEyQ53
2lO7KLABFJQPBIsTQI5VMIEY5MA1nJ7ABDaQgx6JgAMwiEEDTt2ACYDgcLiYQAM4LYIEAGFOccpA
iygwAQww1GobsPQTis4wLQjIgAuSDgALiIAEFmyM0swuAgS4h21N/2gBQrgIQVZwgiQVglrYqtaL
0l2AF2ULRrcrl7ux1bFqYasADOAOAKSQAHOiQA+uWd8ARmCAeMELXv46+MAODguGv8IP8HKYoP5l
ACDoEynckta7A7CndHNK4zPKeMYtwYAHNBAmEUh5RSIjlvrlrwH9WV/6ikSLfgNQCmNpRQNuwPMb
bCEHQVjIIQKGjgQ4IQUiKIcBGpACISjiYQ5LBM2bQ/V2JYDnQpK6hbbO9a57fSyBAAA7

------_=_NextPart_001_01C6476D.9E7C3A10--
Follow-Ups:
- [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
  - From: ol
Prev by Date: [WEB SECURITY] XSS testing & general webapp testing on my hosted apps
Next by Date: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Previous by thread: [WEB SECURITY] WiKID Firefox Extension 1.0.4 Beta released
Next by thread: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org