Ask the Expert

How to protect your Web site against buffer overruns

I'm looking for advice on buffer overruns. What can I do to protect against these attacks?

Requires Free Membership to View

The first thing to understand is that custom Web application buffer overflow exploits are extremely rare. Still, a little extra paranoia doesn't hurt, since much of the advice given has excellent additional security benefits. Let's take a look at a few things we can do to protect Web sites from buffer overflows by hardening the operating system, Web server, and Web application.

  • Patch early, patch often, and harden the operating system. It doesn't matter if you're running Windows, Linux, or OS X. A secure Web site must be built on a solid foundation. An excellent resource for guidance is the Center for Internet Security.
  • Web server security add-ons. If you're running Microsoft IIS 5.0, install URL Scan 2.5. URL Scan has several useful features that restrict the types of requests IIS will process. IIS 6.0, by default, includes the important features that are included in URL Scan. If you're locking down Apache, ModSecurity is a must-have. ModSecurity is an open-source intrusion detection and prevention engine for Web applications.
  • Never trust client-side data. Ensure that strong character set, format, minimum and maximum length checks are in place for data, data query strings, cookies, and post data. Thorough input validation is key to a secure Web site.
  • When developing for Windows, reduce your application's reliance on unmanaged code.

More information
Featured Topic: Prevent buffer overflow
Buffer overflow attacks: How do they work?

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: