常见的格式化字符串攻击来自于一个思想:攻击者可以控制显示数据所使用的格式。
The often-serious format string attack is based on the idea that an attacker can control the format used to display data.
gcc编译器选项-Wformat-security 可以警告您代码中可能受到格式化字符串攻击的地方。
The gcc compiler option -Wformat-security will warn you of some cases where the code may be vulnerable to format string attacks.
例如,Python有一个内置的“ % ”操作符,它就执行格式化操作(“ % ”前面的参数就是指定的格式),因此要确保攻击者不会控制这个格式,也就是说使用常量作为字符串的格式。
For example, Python has a built-in "%" operator that does formatting (the argument before "%" is the format), so make sure the attacker can't control the format, say by making it a constant.
在c语言中,一个常见的错误是将攻击者的数据传递到格式化字符串参数中(例如printf(3)的第一个参数)。
In c, a common mistake is to pass attacker data into format string parameters (such as the first parameter of printf (3)).
目前针对缓冲区溢出和格式化字符串漏洞攻击已经提出了很多种解决方法。
So far, although many approaches have been proposed to solve buffer overflows and format string attacks, unfortunately few of them can prevent all possible attacks.
目前针对缓冲区溢出和格式化字符串漏洞攻击已经提出了很多种解决方法。
So far, although many approaches have been proposed to solve buffer overflows and format string attacks, unfortunately few of them can prevent all possible attacks.
应用推荐