Tag Archives: SQL Injection

Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies

25 March 2017

SQL injection is one of the oldest, most used and best understood attack vectors. The solution (input sanitizing) is also well understood, but still lots of systems vulnerable to SQL injection are operated on the internet. And the cybercriminal Rasputin is obviously a genius in detecting such systems.

In his post “Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies“, David Bisson provides some insight into the problem and why organizations are struggling with the solution:

“The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.

As always, it’s a lack of budget and resources. But especially in the case of university web sites I find this really difficult to understand.

Computer science students can work on this issues in seminars and projects after the basic database and web programming courses. Even the project management can be done by students. Only few expensive professionals are required to coordinate the activities with the universities IT department.

If one starts with the web pages where user input is requested, the major problems can be solved in short or medium term. In addition, students will get very valuable insights into real cyber security issues and how to solve them.

Have a good weekend.

TalkTalk warns customers about personal data breach

4 November 2015

When Warwick Ashford’s report about the TalkTalk data breach popped up in my mail box on 23 October I was busy with holiday preparations. Thus I skimmed only through the report. On Saturday morning at the airport I read the report in peace and searched for more information.

UK phone and broadband provider TalkTalk was hacked. The company announced the attack on 21 October on their website. Attackers may have accessed data of in the worst case 4 million customers.

What surprised me was that this was the second attack in this year.

But what really concerns me is the proposed solution:

“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,”aid panellist Frank Weisel, regional sales manager at Vormetric in Germany.

Data encryption as an isolated protection measure is just irrelevant in this and many other cases. Because once the attackers managed to get on the victim’s network they are authorized users. And authorized users have access to the data and the encryption keys.

Whether the initial attack is performed via SQL or command injection, an unpatched server or a phishing attack is of no interest. Only the result counts.

Alan Solomon took the same line some days later in his post “TalkTalk was hacked. But it’s silly to ask if the data was encrypted”.

In my opinion the basic problem comes from the inherently weak user authentication technology. It became again clear to me when I collected my rental car at Funchal airport.

Although the desk operator had my reservation details on his screen I had to authenticate myself with my passport and a valid driver license to get the car key. When it comes to safety Two Factor Authentication (TFA) is taken for granted.

From my point of view it’s time to secure the access to business critical company data with a second authentication factor. For all employees who have a stake in the data, and for every session, and, of course in addition to encryption, patching, secure application development, etc.

This will hinder attackers massively in getting access to a company’s secrets.

Have a good day.

Unhandled program exceptions and informative error messages – free support for Cyber Attackers

30 August 2015

Today companies know their business critical information and protect them against unauthorized use and disclosure.

Cyber criminals don’t attack the business critical information, but the application systems through the vulnerabilities in the system and application software. Application and system developers make life easy for them by disclosing information about the system design caused by unhandled program exceptions and informative error messages.

Unhandled program exceptions exist in almost every web application. Candidates are URLs with parameters like

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=11&languageCd=GER

Most programmers do in-depth tests to make sure that the program retrieves exactly the information defined in the requirements specification. But what happens if an invalid value is input?

Let’s rewrite this URL and assign SiteId the value  -1:

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=-1&languageCd=GER

The result is:

A negative number was assigned to an Attribute of type "Unsigned": HRS_SITE_ID.HRS_SITE_ID. (2,121) WEBLIB_XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:ax_Parameter_security PCPC:1176 Statement:19 Called from:WEBLIB_ XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:Iscript_Load XXXXXXXX Portal Statement:28

Okay, it’s not the entire program stack, but it shows that input is not fully sanitized, and gives an attacker the hint, that the site is possibly vulnerable against SQL injection attacks.

Unchecked error conditions are listed as CWE-391 in the Common Weakness Enumeration list. Programmers can easily solve this problem by adding an extra “when others” exception to the code.

The best error message is one that reveals neither information about the application system nor about the internal structure of the application:

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please excuse the inconvenience caused.

Period. For a good overview about error handling problems and mitigations see the SANS Securing Web Application Technologies (SWAT) checklist.

Have a good weekend, and fun with boundary value tests.