tags:

views:

1449

answers:

3
+8  Q: 

Is buffer overflow/overrun possible in completely managed asp.net c# web application

Can there be buffer overflow/overrun vulnerabilities in completely managed asp.net web portal.If yes how can this be tested.

+4  A: 

Not unless you exploit the webserver or .NET/ASP.NET stack itself.

Cody Brocious  2008-10-01 06:29:28
Can you explain more please.
Pradeep Kumar Mishra  2008-10-01 06:31:10
If your code is completely managed, then there's no way to buffer overflow the code that YOU write. But the stack (.NET and such) that you're built on top of is not written in pure managed code, so there's a possibility to exploit those, even if it's small.
Cody Brocious  2008-10-01 06:41:39
Thanks a lot for your answer.
Pradeep Kumar Mishra  2008-10-01 06:43:59
+4  A: 

In the general case, you don't need to worry about buffer overruns. This is one of the major advantages of managed code, garbage collection being perhaps the other major advantage.

There are a few edge cases that you should be aware of - any time your managed code interacts with unmanaged code (Win32 API calls, COM interop, P/Invoke, etc) there is a potential for buffer overruns in the unmanaged code, based on parameters passed in from managed code.

Also code marked as "unsafe" can directly manipulate memory addresses in such a way as to cause buffer overflow. Most C# code is written without using the "unsafe" keyword, though.

Mark Bessey  2008-10-01 07:01:31
+1  A: 

I had a tool (HP Dev Inspect) detect a possible "Possible Parameter Buffer Overflow" within my ASP.NET app and it was because we didn't have a MaxLength="20" in one of our TextBoxes...

 2009-04-29 04:12:21
Different kind of buffer overflow, well sort of. If your textbox's value is passed unchecked to, oh, say, a SQL parameter, it could wreak havoc--or if it's passed to a function that wasn't expecting the entire text of "Call of Cthulu" for a parameter, it could behave badly.Know that savvy users (such as those using FF's Web Developer extension) can just turn off MaxLength. It's a convenience defense, not something that you should count on.You should always check user input for length if it's going to matter.
Broam  2010-02-09 18:54:16

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?