Buffer Overflow Hacks in Web Applications
One of the most serious input hacks is a buffer overflow that specifically targets input fields in web applications. For instance, a credit-reporting application might authenticate users before they’re allowed to submit data or pull reports. The login form uses the following code to grab user IDs with a maximum input of 12 characters, as denoted by the maxsize variable:
<form name="webauthenticate" action="www.your_web_app.com/ login.cgi" method="POST"> ... <input type="text" name="inputname" maxsize="12"> ...
A typical login session would involve a valid login name of 12 characters or fewer. However, the maxsize variable can be changed to something huge, such as 100 or even 1,000. Then an attacker can enter bogus data in the login field. What happens next is anyone’s call — the application might hang, overwrite other data in memory, or crash the server.
A simple way to manipulate such a variable is to step through the page submission by using a web proxy, such as those built in to the commercial web vulnerability scanners or the free Paros Proxy.
Web proxies sit between your web browser and the server you’re testing and allow you to manipulate information sent to the server. To begin, you must configure your web browser to use the local proxy of 127.0.0.1 on port 8080.
In Firefox, this is accessible by choosing Tools→Options; click Advanced, click the Network tab, click the Connection Settings button, and then select the Manual Proxy Configuration radio button. In Internet Explorer, choose Tools→Internet Options; click the Connections tab, click the LAN Settings button, and then select the Use a Proxy Server for Your LAN check box.
All you have to do is change the field length of the variable before your browser submits the page, and it will be submitted using whatever length you give. You can also use the Firefox web Developer to remove maximum form lengths defined in web forms.