In-Reply-To: <[EMAIL PROTECTED]> >Hello all, > > I would like some advice on how to go about having an application >tested for buffer overflows. Are there any tools available ? Are there >people who can do the testing on my behalf ? > >Do you need more information first ? > >I look forward to your replies. > >David Stout >CCSP, CCNA, CRCP, INFOSEC
It isn't easy to find all buffer overflow vulnerabilities in some application. Some buffer overflows are very easy to spot - just 'grep' application source for vulnerable functions like strcpy, strcat, sprintf etc. But there are still other kind of buffer overflows that are very hard to find. For example: integer overflows, off-by-one etc. If you don't have application source code, it is much harder to find buffer overflow. In that case, you should give very long strings or very large numbers to application input. There are tools for finding buffer overflows... use www.google.com :) DownBload / Illegal Instruction Labs <www.kamikaza.org> --------------------------------------------------------------------------- ----------------------------------------------------------------------------
