This website uses cookies to ensure you have the best experience. Learn more

Software Application Vulnerabilities And Controls Essay

1893 words - 8 pages

Insecure coding practices used by application developers can lead to the creation of vulnerabilities in programs. This fact of life lies at the core of all software vulnerabilities. Until secure coding practices are implemented across the board at all organizations and firms, these flaws will continue to perpetuate vulnerabilities to be exploited. Three of the most common and damaging attacks allowed by the potential vulnerabilities are buffer overflows, including stack overflows and heap/BSS/data overflows, and format string attacks.
Stack buffer overflows are very popular among hackers because they are one of the easier exploits to pull off and they offer the best payoff. The vulnerability allows an attacker to input data past the limitation of a variable, which allows it to be written into adjacent locations in memory. Once this data has been written, the attacker triggers a method for calling that memory location and executing the code. The results can range from crashing the application to remotely executing code, which generates a shell back to the attacker.
There are many tools available to attackers that will allow them exploit potential stack buffer overflow vulnerabilities in remote systems, but these can often be fragmented across many platforms and require significant reworking of code to make them functional. Perhaps the best tool available on the internet to centralize the transmission of these exploits, and many others, is the Metasploit Framework. An example of this will be the easyftp_list.rb exploit that targets EasyFTP Server versions 1.7.0.11 and below. “EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow” (Metasploit, 2010). The exploit is included as a module within the Metasploit framework and requires minimal configuration on the part of the attacker. The parameter that needs to be explicitly designated is the IP address of the target running the EasyFTP server.
Heap overflows are similar to stack overflows, but instead of aiming to overwrite information to the stack, heap-based overflows overwrite to the heap, which is used by programs to allocation dynamic memory at runtime (McClure, Scambray & Kurtz, 2009). A common technique used by attackers is the heap spray, which, like its name alludes, sprays the heap with information in an attempt to overwrite certain bytes of code. Attackers “commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run” (Abysssec, 2010).
In terms of tool availability, heap overflows are in the same boat as stack-based buffer overflows. As before, one of the more reliable sources for functional exploits for this method will come from the Metasploit repository, which is updated on a daily basis to include the latest tools available. An example of a heap overflow tool is the exim4_string_format.rb module, which actually combines...

Find Another Essay On Software Application Vulnerabilities and Controls

The Microsoft Baseline Analyzer Essay

1175 words - 5 pages performed scans for missing patches, missing/weak passwords, and assess the holistic security status to determine any associated potential risks to the computer. MBSA utilized the Microsoft update catalog and determined which security updates required updating, provided a report on specific system information, and performed Windows Security and Desktop Application Scans to report any further administrative vulnerabilities. The resulting security

Vulnerability assessment of the company system and recommendations on measures to mitigate or eliminate potential risks

1214 words - 5 pages development and security patches must also clarify the systems used. 2.2.1.6 Identify which controls are already in place Security and business continuity control measures that protect servers and storage devices hosting applications and data must be known. Control measures include company policies, intrusion detection and prevention systems, application firewalls, data loss prevention and encryption systems. Extensive research which involves scanning

Security and the OSI Model

1605 words - 6 pages session attempts. Presentation Layer The presentation layer deals with the organization of data passed from the application layer to the network. This layer allows for the standardization of data and the communication of data between different hosts. The presentation layer can also control network-layer enhancements such as compression or encryption. Some vulnerabilities with regard to the presentation layer are (Reed, 2003): • Poor

Identifying Potential Risk, Response, and Recovery

1817 words - 7 pages IP addresses the attacks are from will need to be blocked before damage is done to the network to create a work stoppage or the system from going down. A strategy and controls are also needed to deal with the vulnerabilities in the computers and networks. Software on the computers often has vulnerabilities that hackers will take advantage of. The strategy to help mitigate the risk of a hacker using these vulnerabilities is risk mitigation or

Asset Identification and Classification Policy

3063 words - 13 pages system’s hardware and software vulnerabilities such as viruses, worms, or application bug, and results in a loss confidentially, integrity, and availability of resources and data. This is accomplished through implementing a Security Training and Awareness Policy in accordance with standards and recommendations outlined in NIST Publications 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations, Security

Web Server Application Attacks

991 words - 4 pages Introduction There are more Web application vulnerabilities than one can even count, and they have become so widespread that most hacking sites have tools that you can download to search, find, and exploit tools these vulnerabilities. This makes it very easy for even a rookie hacker to exploit these flaws. The three common web application vulnerabilities and attacks are as follows: Username enumeration, Security misconfiguration, and SQL

Technical Project Paper

2157 words - 9 pages consider may include; power loss, and an armed attack. Our next step is to identify and analyze any potential logical vulnerabilities and threats that require consideration. Logical risks or threats are those that are likely to affect the information that has to be protected. Most of the logical vulnerabilities and threats are concerned with software or programming errors, technical failures, web site intrusion and social engineering. Logical

Updates Over Security Software

2521 words - 10 pages computers have penetrated medical equipment, power grids, and controls used for rail lines. Experts believe these chips still may be extremely susceptible to attack due to the fact there is little protection against their firmware, hardcoded applications within the circuitry, from being altered. Scott Borg, Director of the nonprofit Cyber Consequences Unit, “Security experts used to take firmware for granted, because, unlike software, it was

Economic Consequences of Software Crime

1269 words - 5 pages program do not expect payment for their software. It may be copied, modified and distributed as the end user wishes to do.A license manager is a system utility-like application that controls or monitors the use of another end-user application. It is generally implemented to protect intellectual property (meaning to stop illegal copying) and/or to become more competitive by offering new ways in which to evaluate, purchase and pay for software. Since

Intro to Computer Forensics

880 words - 4 pages the most common platforms for this type of virus. These viruses are written in Visual Basic and are relatively easy to create. Macro viruses infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted. And last we have worms which are built to take advantage of a security whole in an existing application or operating system, find other systems running the same software, and automatically replicate it to

B2C Web Site Security

2366 words - 9 pages Components 4 2.1 Physical System Security 4 2.1.1 Server Side Aspects 4 2.1.2 Client Side Aspects 5 2.2 Operating System Security 5 2.3 Network Security 6 2.4 Web Application/Service Security 8 3 Conclusions 10 4 References and Bibliography 11   How the security of B2C web-sites can be assured through technical controls and customer education 1 Introduction The primary goal of Business to Consumer (B2C) websites is to attract traffic

Similar Essays

System And Application Software Essay

669 words - 3 pages definition for Software means computer instructions or data. Anything that can be stored electronically is software (http://www.webopedia.com/TERM/S/software.html). If you are not familiar with this definition then the difference between system and application could be very confusing. The definition for Application software is a subclass of computer software that employs the capabilities of a computer directly and thoroughly to a task

Information Security Essay

2954 words - 12 pages (information, infrastructure, software and content) as follows: end-user devices such as PC’s and smart phones, user-support devices and the actual content or otherwise. • To determine security requirements and coordinate the right mix of countermeasures. • To access missing controls, protection measures or requirements not implemented correctly, or not implemented at all, this should have been, for the purpose of protecting critical assets. And finally, to recommend protection controls (countermeasures) to prevent or mitigate identified vulnerabilities.

Vulnerability Assessment Of The Company System And Recommendations On Measures To Mitigate Or Eliminate Potential Risks

1339 words - 6 pages security risk to equipments. The controls over employees, visitors and outsiders should be put in place. Such controls include barriers used to limit access to physical premises and preventing unauthorized entry and removal. 3.1.2 Users are allowed to install their own software as needed The company is exposed to Windows file system vulnerabilities as users are allowed to install their own software. The information that users create and Operating

Commercial Risk In Web Application Development

1438 words - 6 pages ideas to provide new techniques and tools that create a better outcome. The quality of a Web Application depends on the consideration of appropriate mechanisms that meets the user’s need. Popularity of Web applications is determined by the quality of security attributes. Development of the Web Application Security Challenge Over the past decade, the security challenge had been to simply identify the vulnerabilities that existed in web applications