Problem solve Get help with specific problems with your technologies, process and projects.

How to protect your Web site against buffer overruns

Buffer overflow exploits can be a serious security threat. Application security activities expert Jeremiah Grossman explains how to prevent these attacks.

I'm looking for advice on buffer overruns. What can I do to protect against these attacks?

The first thing to understand is that custom Web application buffer overflow exploits are extremely rare. Still, a little extra paranoia doesn't hurt, since much of the advice given has excellent additional security benefits. Let's take a look at a few things we can do to protect Web sites from buffer overflows by hardening the operating system, Web server, and Web application.

  • Patch early, patch often, and harden the operating system. It doesn't matter if you're running Windows, Linux, or OS X. A secure Web site must be built on a solid foundation. An excellent resource for guidance is the Center for Internet Security.
  • Web server security add-ons. If you're running Microsoft IIS 5.0, install URL Scan 2.5. URL Scan has several useful features that restrict the types of requests IIS will process. IIS 6.0, by default, includes the important features that are included in URL Scan. If you're locking down Apache, ModSecurity is a must-have. ModSecurity is an open-source intrusion detection and prevention engine for Web applications.
  • Never trust client-side data. Ensure that strong character set, format, minimum and maximum length checks are in place for data, data query strings, cookies, and post data. Thorough input validation is key to a secure Web site.
  • When developing for Windows, reduce your application's reliance on unmanaged code.

More information
Featured Topic: Prevent buffer overflow
Buffer overflow attacks: How do they work?

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.