The first thing to understand is that custom Web application buffer overflow exploits are extremely rare. Still, a little extra paranoia doesn't hurt, since much of the advice given has excellent additional security benefits. Let's take a look at a few things we can do to protect Web sites from buffer overflows by hardening the operating system, Web server, and Web application.
- Patch early, patch often, and harden the operating system. It doesn't matter if you're running Windows, Linux, or OS X. A secure Web site must be built on a solid foundation. An excellent resource for guidance is the Center for Internet Security.
- Web server security add-ons. If you're running Microsoft IIS 5.0, install URL Scan 2.5. URL Scan has several useful features that restrict the types of requests IIS will process. IIS 6.0, by default, includes the important features that are included in URL Scan. If you're locking down Apache, ModSecurity is a must-have. ModSecurity is an open-source intrusion detection and prevention engine for Web applications.
- Never trust client-side data. Ensure that strong character set, format, minimum and maximum length checks are in place for data, data query strings, cookies, and post data. Thorough input validation is key to a secure Web site.
- When developing for Windows, reduce your application's reliance on unmanaged code.
This was first published in May 2006