常见的格式化字符串攻击来自于一个思想:攻击者可以控制显示数据所使用的格式。
The often-serious format string attack is based on the idea that an attacker can control the format used to display data.
gcc 编译器选项 -Wformat-security 可以警告您代码中可能受到格式化字符串攻击的地方。
The gcc compiler option -Wformat-security will warn you of some cases where the code may be vulnerable to format string attacks.
例如,Python有一个内置的“ % ”操作符,它就执行格式化操作(“ % ”前面的参数就是指定的格式),因此要确保攻击者不会控制这个格式,也就是说使用常量作为字符串的格式。
For example, Python has a built-in "%" operator that does formatting (the argument before "%" is the format), so make sure the attacker can't control the format, say by making it a constant.
应用推荐