Establish protections against overflows
Summary
The system must have protection mechanisms against the different types of overflow (stack, buffer, heap, integer, etc.).
Description
An overflow occurs when an application receives a value outside of the range that it is prepared to handle. It can happen when a program tries to process an excessively big number or if it attempts to read a memory address outside of its assigned buffer. An overflow can cause a program to stop working, which can lead to a Denial of Service (DoS). Therefore, systems should use data structures and mechanisms that help reduce the chances that an overflow will arise, such as memory-safe strings, safe memory copy and pointer arithmetic.
References
- CAPEC-24. Filter failure through buffer overflow
- CAPEC-123. Buffer manipulation
- CAPEC-153. Input data manipulation
- CWE-120. Buffer copy without checking size of input ("classic buffer overflow")
- CWE-134. Use of externally-controlled format string
- CWE-170. Improper null termination
- CWE-190. Integer overflow or wraparound
- OWASPM10-M7. Poor code quality
- AGILE-9. Continuous attention to technical excellence and good design
- CERTC-INT32-C. Ensure that operations on signed integers do not result in overflow
- CERTJ-NUM00-J. Detect or prevent integer overflow
- MITRE-M1013. Application developer guidance
- PADSS-5_2_2. Buffer Overflow
- SANS25-1. Out-of-bounds Write
- SANS25-7. Out-of-bounds read
- SANS25-12. NULL pointer dereference
- SANS25-14. Integer overflow or wraparound
- SANS25-17. Improper restriction of operations within the bounds of a memory buffer
- CMMC-CA_L2-3_12_2. Plan of action
- IEC62443-RA-7_1. Denial of service protection
- WASC-A_03. Integer overflows
- WASC-A_10. Denial of service
- WASC-A_26. HTTP request smuggling
- ISSAF-P_6_3. Host security - Linux security (buffer overflows)
- ISSAF-P_6_4. Host security - Linux security (stack based overflows)
- ISSAF-P_6_5. Host security - Linux security (heap based overflows)
- ISSAF-P_6_6. Host security - Linux security (integer overflows)
- ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)
- ISSAF-V_11. Application security - Source code auditing (buffer overflows)
- PTES-6_7_1_1. Exploitation - Zero day angle (buffer overflows)
- OWASPSCP-1. Input validation
- OWASPSCP-13. Memory management
- CWE25-119. Improper restriction of operations within the bounds of a memory buffer
- CWE25-125. Out-of-bounds read
- CWE25-190. Integer overflow or wraparound
- CWE25-476. NULL pointer dereference
- CWE25-787. Out-of-bounds Write
- OSAMM-ST. Security Testing
- ASVS-5_4_3. Memory, string, and unmanaged code
- SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG-I_2_1. Application security
- OWASPAPI-API4. Lack of Resources & Rate Limiting
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan