A deep dive into one of the oldest and most dangerous software vulnerabilities. How rewriting the Return Address works, and how modern OS protections like ASLR, DEP/NX, and Stack Canaries attempt to stop it.
My Node.js server crashed every midnight with 'Heap Out of Memory'. The culprit? A global variable hoarding data. Through this debugging nightmare, I learned the true difference between Stack and Heap, how V8 Garbage Collection works, and how to prevent memory leaks.
I just clicked an interesting link, and money was transferred under my name. My journey to understanding CSRF, the sneaky attack that exploits your logged-in session.
Why does my server crash? OS's desperate struggle to manage limited memory. War against Fragmentation.
A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
Imagine you have a bucket that holds 1 liter of water. If you pour 2 liters into it, what happens? The water spills over the edge, wetting the floor, arguably damaging the carpet or short-circuiting electrical outlets nearby.
In computer memory, a Buffer is a reserved area of memory (like an array) used to hold data. If a program tries to write more data into the buffer than it was allocated for, the extra data overflows into adjacent memory locations.
This wouldn't be a big deal if it just crashed the program (Segmentation Fault). But malicious hackers realized: "Wait, I can control WHAT gets written into that adjacent memory." If that adjacent memory holds something important—like the Instruction Pointer (IP) or Return Address—the hacker can hijack the entire control flow of the application.
Buffer overflows are not just theoretical; they have caused billions of dollars in damage.
The first worm to cripple the internet. It targeted the fingerd service on Unix systems. fingerd used the unsafe gets() function. The worm sent a specially crafted request that overflowed the buffer, allowing it to execute code and replicate itself to other machines. It infected 6,000 computers within hours—about 10% of the entire internet at the time.
This worm targeted a buffer overflow vulnerability in Microsoft SQL Server 2000. It was incredibly small (376 bytes) and fit inside a single UDP packet. It didn't even write to the disk; it lived entirely in memory. It spread so fast that it infected 75,000 servers in 10 minutes, causing a global internet slowdown.
To understand Buffer Overflow, you must understand the Stack. When a function is called in C/C++, a "Stack Frame" is created. It typically contains four main things:
char buffer[64]).[ High Addresses ]
+----------------+
| Return Address | <- The keys to the kingdom
+----------------+
| Saved EBP |
+----------------+
| Local Buffer | <- Where input goes
| (64 bytes) |
+----------------+
[ Low Addresses ]
We fill the Local Buffer with data.
Since strings grow from Low to High addresses, if we write 70 bytes into a 64-byte buffer:
Saved EBP.Return Address.The hacker replaces the Return Address with a pointer to their own malicious code (Shellcode) inserted into the stack. When the function tries to return, it unknowingly jumps to the hacker's code instead of the main program.
The root cause of virtually all buffer overflows is the lack of bound checking in standard C library functions.
strcpy()char dest[10];
strcpy(dest, src);
It copies from src to dest until it finds a null terminator (\0). It doesn't care if src is 1000 characters long. It will happily obliterate your stack.
gets()The most notorious function. It reads from stdin until a newline. It is so dangerous that it was completely removed from the C11 standard. Compiler warnings often say: "the use of gets is dangerous; do not use it."
strcat()sprintf() (vs snprintf)scanf("%s")Operating System vendors and Compiler designers have introduced multiple layers of defense to make exploitation harder.
Based on the idea of a "Canary in a coal mine".
Hackers are smart. When NX Bit blocked them from running code on the stack, they invented ROP.
Since they can't inject new code, they reuse existing code.
They look for tiny snippets of code ending in ret (called Gadgets) already present in the program's executable memory (like libc).
pop eax; ret;add eax, 1; ret;By carefully constructing a "ROP Chain" on the stack (a series of return addresses), they can make the CPU jump from Gadget to Gadget, effectively executing whatever logic they want without writing a single new instruction. It's like writing a ransom note by cutting letters out of a magazine.
The famous Heartbleed vulnerability (2014) in OpenSSL was a Buffer Read Over-read, not a write overflow.
strncpy (carefully), strlcpy, fgets, and snprintf. Avoid gets like the plague.strcpy and gets are the primary enemies.Security is not a feature; it's a foundation. Writing code that works is easy; writing code that doesn't break under attack is the real challenge.