Q

How to protect your Web site against buffer overruns

Buffer overflow exploits can be a serious security threat. Application security activities expert Jeremiah Grossman explains how to prevent these attacks.

I'm looking for advice on buffer overruns. What can I do to protect against these attacks?

The first thing to understand is that custom Web application buffer overflow exploits are extremely rare. Still, a little extra paranoia doesn't hurt, since much of the advice given has excellent additional security benefits. Let's take a look at a few things we can do to protect Web sites from buffer overflows by hardening the operating system, Web server, and Web application.

  • Patch early, patch often, and harden the operating system. It doesn't matter if you're running Windows, Linux, or OS X. A secure Web site must be built on a solid foundation. An excellent resource for guidance is the Center for Internet Security.
  • Web server security add-ons. If you're running Microsoft IIS 5.0, install URL Scan 2.5. URL Scan has several useful features that restrict the types of requests IIS will process. IIS 6.0, by default, includes the important features that are included in URL Scan. If you're locking down Apache, ModSecurity is a must-have. ModSecurity is an open-source intrusion detection and prevention engine for Web applications.
  • Never trust client-side data. Ensure that strong character set, format, minimum and maximum length checks are in place for data, data query strings, cookies, and post data. Thorough input validation is key to a secure Web site.
  • When developing for Windows, reduce your application's reliance on unmanaged code.

More information
Featured Topic: Prevent buffer overflow
Buffer overflow attacks: How do they work?

This was first published in May 2006

Dig deeper on Software Requirements Gathering Techniques

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close