Input Validation / Format String Injection

Web and API


Format string injection is a type of input validation vulnerability that is categorized under CWE-134 in the Common Weakness Enumeration (CWE) directory. This vulnerability occurs in web and API applications when user-supplied input is formatted using a language-specific formatting library. The malicious input can be used to gain access to memory locations or execute malicious code. The OWASP Testing Guide provides further information on how to test and detect format string injection.


Format string injection can lead to sensitive data leakage, data corruption, and system crashes. The risk of this vulnerability is high, as a successful attack could lead to a full compromise of the application.


The most effective solution to prevent format string injection is to use strongly-typed languages that do not allow user-supplied input to be formatted. If strongly-typed languages are not an option, then the user-supplied input must be properly validated and sanitized. Additionally, any format strings in the application code should be avoided or replaced with safer alternatives.


The following example demonstrates a format string injection vulnerability in C language.

#include <stdlib.h>
#include <stdio.h>

int main(int argc, char *argv[])
    char *input;

    if(argc > 1) {
        input = argv[1];
    } else {
        input = "default";
    printf(input); // Vulnerable to Format String Injection
    return 0;

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.