Format String Error

This detector identifies format string vulnerabilities where user-supplied input is passed directly to string formatting functions without proper sanitization. The scanner tests for format specifiers like %s, %x, %n in input fields and observes whether the application processes them as formatting directives rather than literal strings. Format string bugs commonly occur in logging functions, error messages, and printf-style formatting operations where untrusted data controls the format string parameter.

Format string vulnerabilities allow attackers to read from or write to arbitrary memory locations by injecting format specifiers into user-controlled input. Attackers use %x and %p specifiers to leak stack memory contents, potentially exposing sensitive data like passwords, session tokens, or cryptographic keys. The %n specifier enables writing to memory addresses, allowing attackers to overwrite return addresses, function pointers, or security-critical variables to achieve arbitrary code execution. Even read-only exploitation can crash applications or bypass authentication through information disclosure.

Never pass user-controlled input directly as the format string parameter to formatting functions. Use parameterized formatting where user input is passed as an argument rather than part of the format specification. Replace vulnerable functions like sprintf with safer alternatives that enforce format string separation. In languages with printf-style functions, always use a constant format string and pass user data as variadic arguments. Implement input validation to reject strings containing format specifiers. For logging operations, use structured logging frameworks that automatically sanitize user input. Review all code paths where external input flows to formatting functions and ensure proper separation between format templates and data.