Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-6



Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, …).

If an attacker passes a format string consisting of printf conversion characters (e.g. “%f”, “%p”, “%n”, etc.) as a parameter value to the web application, they may:

  • Execute arbitrary code on the server
  • Read values off the stack
  • Cause segmentation faults / software crashes


Format String attacks are related to other attacks in the Threat Classification: Buffer Overflows and Integer Overflows. All three are based in their ability to manipulate memory or its interpretation in a way that contributes to an attacker’s goal.