|
|
Follow the
Appiant way to a more secure network…
Real security experts. Appiant
focuses primarily on working with Focusing
primarily on Security Audits and training, we’ve found our niche and
we’re good at it. Security in the news…
Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics. In this video, I discover that they have error-checking routines to prevent SQL injections while logging in. I simply disable those routines and gain access to the web site.Exploit Fixed (764kb Download) So what is so special about the ' or 1=1 -- garbage? Well, the information that goes into the username and password field is used to create an SQL query. If the Username is "bob" and his password is "secret", then that information would create an SQL query that looks something like: SELECT * from table USERS where USERNAME='bob' and PASSWORD='secret' -- What this query is saying, translated into English: "Search all the data in table USERS and return the row where username='bob' and password='secret'. So, by using the password of ' or 1=1 --, you create a query statement that reads like this: SELECT * from table USERS where USERNAME='bob' and PASSWORD='' or 1=1 --' -- ...which will ALWAYS return true because 1=1 (1 is always equal to 1), so it always returns as valid and will return with the first record in the database. If you understand basic query parameters, you know that by using the magical operand OR, you invalidate all the query parameters prior to the OR statement as long as whatever comes after it returns true, just as long as 1 is still equal to 1. You could also accomplish the same thing by using 2=2, or x=x, or y=y. If you only filter the characters in the password field, simply use ' or 1=1 or ' as the username to modify the query. (The "--" denotes a comment. Everything following will be ignored by the SQL command interpreter. The actual character - or sequence of characters - varies by database vendor.) If you want to get really malicious, you could type '; drop table USERS -- which will drop the user table from the database, and you'll have to restore the database from tape, or '; dump table users -- which will dump the user table to the screen... you get the idea. Your only limitation is your imagination. How to fix it…
There are essentially three methods of addressing these vulnerabilities: The first is to do what we saw in the first video; what I refer to as "Bolt-on" security, security that is easily bypassed/defeated because it is seen on the client (web browser) side. Second option is to completely re-write the application such that the validation takes place server-side. The third option, and what customers are finding most cost effective is to simply install an application firewall.Application Firewalls (17.3mb Download) Microsoft SQL Security (7.1mb Download) |
Case
Studies
|
