where he should have ideally used printf(?s?

Kevin has been asked to write a short program to gather user input for a web application. He likes
to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used
printf(?s? str). What attack will his program expose the web application to?

Kevin has been asked to write a short program to gather user input for a web application. He likes
to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used
printf(?s? str). What attack will his program expose the web application to?

A.
Cross Site Scripting

B.
SQL injection Attack

C.
Format String Attack

D.
Unicode Traversal Attack

Explanation:
Format string attacks are a new class of software vulnerability discovered around
1999,previously thought harmless. Format string attacks can be used to crash a program or to
execute harmful code. The problem stems from the use of unfiltered user input as the format string
parameter in certain C functions that perform formatting,such as printf(). A malicious user may use
the %s and %x format tokens,among others,to print data from the stack or possibly other locations
in memory. One may also write arbitrary data to arbitrary locations using the %n format
token,which commands printf() and similar functions to write back the number of bytes formatted

to the same argument to printf(),assuming that the corresponding argument exists,and is of type
int * .



Leave a Reply 0

Your email address will not be published. Required fields are marked *