• Main Menu
  • Secure Programming

    • How to Find Security Vulnerabilities in Source Code

      How to Find Security Vulnerabilities in Source Code

      The original, and still the best, method for finding security vulnerabilities in source code is to read and understand the source code. Source code security vulnerabilities will vary between languages and platforms. Items to look for in C code include: Potential vulnerability Function calls to examine for vulnerabilities Buffer overflows gets(), scanf(), sprintf(), strcat(), strcpy()

    • Format String Vulnerability

      Format String Vulnerability

      To understand what a format string vulnerability is, you first need to know what a format string is. A format string is a way of telling the C compiler how it should format numbers when it prints them. Format Strings in C In the C programming language there are a number of functions which accept

    • SQL Injection Attack / Vulnerability

      SQL Injection Attack / Vulnerability

      A SQL injection vulnerability can occur when a poorly-written program uses user-provided data in a database query without first validating the input. This is most-often found within web pages with dynamic content. There are some excellent tutorials and descriptive articles on this subject, as well as many vulnerability postings for different applications from full-disclosure websites.

    • Integer Overflow

      Integer Overflow

      An integer overflow, or integer wrapping, is a potential problem in a program based upon the fact that the value that can be held in a numeric datatype is limited by the data type’s size in bytes. ANSI C uses the following minimum sizes: data type size (bytes) char 1 short 2 int 2 long

    • Race Condition

      Race Condition

      A race condition occurs when multiple processes access and manipulate the same data concurrently, and the outcome of the execution depends on the particular order in which the access takes place. A race condition is of interest to a hacker when the race condition can be utilized to gain privileged system access. Consider the following

    • Random Number Vulnerability

      Random Number Vulnerability

      Computers are deterministic and are therefore predictable. Computers cannot, in and of themselves, generate truly random numbers. In the absence of outside input, computers can only create pseudo-random numbers.  In the words of John Von Neumann, “Anyone attempting to produce random numbers by purely arithmetic means is, of course, in a state of sin.” A

    secure-programming
    98 queries in 0.172 seconds.