SlideShare a Scribd company logo

Connection String Parameter Pollution Attacks

Chema Alonso
Chema Alonso

Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010

1 of 13
Downloaded 32 times
Connection String Parameter Pollution Attacks Chema Alonso1 , Manuel Fernandez1 , Alejandro Martín1 and Antonio Guzmán2 1 Informatica64, S.L. 2 Universidad Rey Juan Carlos 1 {chema,mfernandez,amartin}@informatica64.com, 2 antonio.guzman@urjc.es Abstract. In 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. The potential damage associated with this kind of threats, the total absence of background and the fact that the solution to mitigate these vulnerabilities must be worked together with programmers, systems administrators and database vendors justifies an in-depth analysis to estimate all the possible ways of implementing this technique. Keywords: Code injection attacks, connection strings, web application authentication delegation. 1 Introduction SQL injections are probably the most known injection attacks to web applications by abusing its database architecture. Many different approaches and techniques have been studied and analyzed so far, and the published results conclude that to prevent these attacks from being successful, development teams need to establish the correct filtering levels on the inputs to the system. In the case of the attack presented in this paper, responsibility lays not only on developers, but also on system administrators and database vendors. This attack affects web applications, but instead of abusing implementation flaws in the way database queries are crafted, which is the most commonly found scenario on other injection attacks, it abuses the way applications connect to the database. According to OWASP [1], in 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection attacks as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. This is the case for the so-called connection string parameter pollution attacks. Potential impact of this type of vulnerability and the total absence of background justify an in-depth analysis to estimate all possible attack vectors using this technique.
This paper is structured is in three main sections. The first is this short introduction where the foundations of the connection strings and existing mechanisms for the implementation of web applications authentication will be introduce. Section two proposes a comprehensive study of this new attack technique, with an extensive collection of test cases. The article concludes briefly summarizing the lessons learned. 1.1 Connections Strings Connection strings [2] are used to connect applications to database engines. The syntax used on these strings depends on the database engine to be connected to and on the provider or driver used by the programmer to establish the connection. One way or another, the programmer must specify the server and port to connect to, the database name, authentication credentials, and some connection configuration parameters, such as timeout, alternative databases, communication protocol or encryption options. The following example shows a common connection string used to connect to a Microsoft SQL Server database: “Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd;” As the example shows, a connection string is a collection of parameters separated by semicolons (;), each parameter being a key-value pair. The attributes used in the example correspond to the ones used in the “.NET Framework Data Provider for SQL Server”, which is chosen by programmers when they use the “SqlConnection” class in their .NET applications. Obviously, it is possible to connect to SQL Server using different providers such as: - “.NET Framework Data Provider for OLE DB” (OleDbConnection) - “.NET Framework Data Provider for ODBC” (OdbcConnection) - “SQL Native Client 9.0 OLE DB provider” The most common and recommended way to connect a .NET based application and a SQL server, is to use the framework default provider, where the connection string syntax is the same regardless the different versions of SQL Server (7, 2000, 2005 and 2008). This is the one used in this article to illustrate the examples. 1.2 Web Application authentication delegation There are two ways of defining an authentication system for a web application: create an own credential system, or delegate it to the database engine. In most cases, the application developer chooses to use only one user to connect to the database. Seen from the database side, this database user represents the entire web application. Using this connection, the web application will make queries to a custom users table where the user credentials for the application are stored.
Fig. 1. Common web application authentication architecture The web application is identified by a single database user with access to the entire application content in the database, thus it is impossible to implement a granular permission system in the database over the different object, or to trace the actions of each user in the web application, delegating these tasks to the web application itself. If an attacker is able to abuse some vulnerability in the application to access the database, the whole database will be exposed. This architecture is very common, and can be found in widely used CMS systems such as Joomla, Mambo and many others. Usually, the target of the attacker is to get the application users credentials from the users table in the database. The alternative consists in delegating the authentication to the database engine, so that the connection string does not contain a fixed set of credentials, but will use those entered by the application user and it is the database engine responsibility to check them. Database management applications always use this delegated authentication, so that the user connecting to the application will only be able to access and control those objects and actions for which he has permissions. With this architecture, it is possible to implement a granular permission system and to trace user actions in the database. Database engine Web application
Fig. 2. Web application delegated authentication architecture. Both methods offer different advantages and disadvantages, apart from the ones already mentioned, which are outside the scope of this article. The techniques described in this paper will focus on the second environment: web applications with delegated authentication to the database engine. 2 Connection String Injection In a delegated authentication environment connection string injection techniques allow an attacker to inject parameters by appending them with the semicolon (;) character. In an example where the user is asked to enter a username and a password to create a connection string, an attacker can void the encrypting system by entering a password such as "pwd; Encryption=off", resulting in a connection string like: “Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off” When the connection string is populated, the Encryption value will be added to the previously configured set of parameters.
2.1 Connection String Builder in .NET Aware of this exploitation [3] of the connection strings, Microsoft included the “ConnectionStringBuilder” [4] classes on it's version 2.0 of the Framework. They are meant to create secure connection strings through the base class (DbConnectionStringBuilder) or through the specific classes for the different providers (SqlConnectionStringBuilder, OleDbConnectionStringBuilder, etc…), and they achieve this by allowing just key-value pairs for attributes and by escaping injection attempts. The use of these classes when creating a connection string would prevent the injections. However, not every developer or application uses them. 2.2 Connection String Parameter Pollution Parameter pollution techniques are used to override values on parameters. They are well known in the HTTP [5] environment but they are also applicable to other environments. In this example, parameter pollution techniques can be applied to parameters in the connection string, allowing several attacks. 2.3 Connection String Parameter Pollution (CSPP) Attacks As an example scenario to illustrate these attacks, a web application where a user [User_Value] and a password [Password_Value] are required is served by a Microsoft Internet Information Services web server running on a Microsoft Windows Server. The application user credentials are going to be used to create a connection string to a Microsoft SQL Server database as follows: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+; This connection string shows how the application is connecting to a Microsoft SQL Server database engine. Knowing this, and attacker can perform a Connection String Parameter Pollution Attack. The idea of this attack is to add a parameter to the connection string with the desired value, regardless of if it already was in the string or the value with which was set up. The component used by .NET applications to craft the connection string will use the value of the last occurrence of the parameter in the connection string. If the connection string has two parameters which key is "Data Source", the value used will be the one of the last of the two pairs, which allows the following CSPP attack vectors: 2.3.1 CSPP Attack 1: Hash stealing An attacker can place a Rogue Microsoft SQL Server connected to the Internet with a Microsoft SQL Server credential sniffer listening (In this exsmple CAIN [6] has been used). An attacker would perform a CSPP attack as follows: User_Value: ; Data Source = Rogue_Server
Password_Value: ; Integrated Security = true Resulting in the following connecting string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true; The "Data Source" and "Integrated Security" parameters are being overridden so that the Microsoft SQL Server native drivers will use the last set of values ignoring the previous ones, and the application will try to connect to Rogue_Server with the Windows credentials it's running on, which can be either a system user or an application pool user. 2.3.1.1 Example 1: ASP.NET Enterprise Manager This tool is an abandoned and unsupported Open Source tool, but still being used by some hosting companies and some organizations to manage Microsoft SQL Server databases via a web interface. The official web site, which used to be aspnetenterprisemanager.com, is today abandoned, but the tool can be obtained from several other web sites like SourceForge [7] or MyOpenSource [8]. This tool is being recommended in a lot of forums as a good ASP.NET alternative to PHPMyAdmin [9], even though the last version was published on the 3rd of January of 2003. Fig. 3. CSPP in ASP.NET Enterprise Manager to steal the account information The results are collected on the rogue server where the database connection sniffer has been installed giving access to the LM Hash of the account.
Fig. 4. Hash collected in the rogue server with Cain 2.3.2 CSPP Attack 2: Port scanning One of the valid parameters on a connection string is the port to connect to. An attacker can abuse an application vulnerable to this technique to network scan servers by trying to connect to different ports and see the error messages obtained: User_Value: ; Data Source =Target_Server, Target_Port Password_Value: ; Integrated Security = true This injection attack will result in the following connection string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Target Server, Target Port; Password=; Integrated Security=true; This connection string will ignore the first instance of the first "Data Source" parameter and will use the last one, meaning that the web application is going to try to connect to "Target Port" port on the "Target Server" machine. Observing the differences in the returned error messages, a port scan can be performed. 2.3.2.1 Example 2: myLittleAdmin and myLittleBackup The tools myLittleAdmin [10] and myLittleBackup [11] are commercial tools developed by myLittleTools [12]. Both tools are vulnerable to CSPP attacks up to versions myLittleAdmin 3.5 and myLittleBackup 1.6.
Fig. 5. A connection can be established through port 80 to www.gooogle.com As shown in Fig. 5, when the port is listening (open) the error message obtained says that no Microsoft SQL Server is listening on it, but a TCP connection was established. Fig. 6. A connection cannot be established through the XX port to www.google.com When the port is closed, a TCP connection could not be completed and the error message is different. Using these error messages a complete TCP port scan can be run against a server. Of course, this technique can also be used to discover internal servers within the DMZ where the web application is hosted.
2.3.3 CSPP Attack 3: Hijacking Web credentials This time the attacker tries to connect to the database by using the web application system account instead of a user provided set of credentials: User_Value: ; Data Source =Target_Server Password_Value: ; Integrated Security = true These injected values will result in the following connection string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Target Server, Target Port; Password=; Integrated Security=true; This time is the "integrated security" parameter what is being overwritten with a "True" value. This means that the system will try to connect to the database with the system account which the tool is running with. In this case this is the system account used by the web application in the web server. 2.3.3.1 Example 3: SQL Server Web Data Administrator This tool is a project, originally developed by Microsoft, which was made free as an Open Project. Today, it is still possible to download the last version that Microsoft released on 2004 from Microsoft Servers [13] but the latest one, released on 2007, is hosted in the Codeplex web site [14]. The version hosted in Codeplex is secure to this type of attacks because it is using the ConnectionStringBuilder classes to dynamically construct the connection string. The version published on the Microsoft web site is vulnerable to CSPP attacks. The following screenshots show how it is possible to get access to the system using this type of attack. Fig. 7. Exploiting the credentials at the WEB Data Administrator In Fig. 7, the password value is: “; integrated Security=true”, as described previously.
Fig. 8. Console access with the server account The attacker can log into the web application to manage the whole system. As shown in Fig. 9, this is because all users and network services have access to the server. Fig. 9. System account access grant. 2.3.3.2 Example 4: myLittleAdmin and myLittleBackup In mylittleAdmin and myLittlebackup tools, it is possible to check out the connection string used to get the access. Looking at it, the parameter pollution injected in order to obtain access to the system can be clearly seen.
Fig. 10. CSPP in myLittleAdmin. Fig. 10 shows how the "Data Source" parameter, after the "User ID" parameter, has been injected with the localhost value. This parameter, "Data Source", is also the first one of the connection string. Their values are different but the one that is being used is the last one, i.e. the injected one. Same happens with the "Integrated Security" parameter that appears initially with the no value but then is overriden by the one injected in the password value with value yes, resulting in a total access to the server with the system account the web application is running as. Fig. 11. Querying the master..sysusers table. 2.3.3.3 Example 5: ASP.NET Enterprise Manager
The same attack also works on the latest public version of the ASP.NET Enterprise manager, so, as can be seen in the following login form, an attacker can perform the CSPP injection to get access to the web application. Fig. 12. CSPP in ASP.NET Enterprise Manager login form. And as a result of it, full access can be obtained, just as can be seen in the following screenshot. Fig. 13. Administration console in ASP.NET Enterprise Manager. 3 Conclusions All these examples show the importance of filtering any user input in web applications. Moreover, these examples are a clear proof of the importance of maintaining the software updated. Microsoft released ConnectionStringbuilder in
order to avoid these kinds of attacks, but not all projects were updated to use these new and secure components. These techniques also apply to other database engines such as Oracle databases, which allow administrators to set up Integrated security into the database. Besides, in Oracle connection strings it is possible to change the way a user gets connected by forcing the use of a sysdba session. MySQL databases do not allow administrators to configure an Integrated Security authentication process. However, it is still possible to inject code and manipulate connection strings to try to connect against internal servers not exposed to the Internet. In order to avoid these attacks the semicolon character must be filtered out, all the parameters sanitized, and the firewall be hardened in order to filter not only inbound connections but also prevent outbound connections from internal servers that are sending NTLM credentials to the internet. Databases administrator should also apply a hardening process in the database engine to restrict access by a minimum privilege policy. References 1. The Open Web Application Security Project, http://www.owasp.org 2. Connection Strings.com: http://www.connectionstrings.com 3. Ryan, W.: Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks, http://msmvps.com/blogs/williamryan/archive/2006/01/15/81115.aspx 4. Connection String Builder (ADO.NET), http://msdn.microsoft.com/en-us/library/ms254947.aspx 5. Carettoni L., di Paola S.: HTTP Parameter Pollution, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf 6. Cain: http://www.oxid.it/cain.html 7. ASP.NET Enterprise Manager in SourceForge, http://sourceforge.net/projects/asp-ent-man/ 8. ASP.NET Enterprise Manager in MyOpenSource: http://www.myopensource.org/internet/asp.net+enterprise+manager/download-review 9. PHPMyAdmin: http://www.phpmyadmin.net/ 10. myLittleAdmin: http://www.mylittleadmin.com 11. myLittleBackup: http://www.mylittlebackup.com 12. myLittleTools: http://www.mylittletools.net 13. Microsoft SQL Server Web Data Administrator: http://www.microsoft.com/downloads/details.aspx?FamilyID=c039a798-c57a-419e-acbc- 2a332cb7f959&displaylang=en 14. Microsoft SQL Server Web Data Administrator in Codeplex project: http://www.codeplex.com/SqlWebAdmin
Ad

Recommended

How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
TELKOMNIKA JOURNAL
 
Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST...
Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST...Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST...
Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST...
Telefónica
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web ApplicationsPXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
ijwscjournal
 
Cryptoghaphy
CryptoghaphyCryptoghaphy
Cryptoghaphy
anita bodke
 
1738 1742
1738 17421738 1742
1738 1742
Editor IJARCET
 
LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web Applications
Chema Alonso
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
Salam Shah
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
IOSR Journals
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
theijes
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
IOSR Journals
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
IJNSA Journal
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
IJERA Editor
 
Double guard synopsis
Double guard synopsisDouble guard synopsis
Double guard synopsis
manju5162
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web Applications
IJMER
 
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Telefónica
 
Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql
KevinFD
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
RootedCON
 
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQLHabilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
narkamo3
 
LDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP InjectionLDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP Injection
Chema Alonso
 
Ad

More Related Content

What's hot (17)

LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web Applications
Chema Alonso
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
Salam Shah
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
IOSR Journals
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
theijes
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
IOSR Journals
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
IJNSA Journal
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
IJERA Editor
 
Double guard synopsis
Double guard synopsisDouble guard synopsis
Double guard synopsis
manju5162
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web Applications
IJMER
 
LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web Applications
Chema Alonso
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
Salam Shah
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
IOSR Journals
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
theijes
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
IOSR Journals
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
IJNSA Journal
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
IJERA Editor
 
Double guard synopsis
Double guard synopsisDouble guard synopsis
Double guard synopsis
manju5162
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web Applications
IJMER
 

Viewers also liked (12)

Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Telefónica
 
Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql
KevinFD
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
RootedCON
 
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQLHabilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
narkamo3
 
LDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP InjectionLDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP Injection
Chema Alonso
 
Índice Libro "macOS Hacking" de 0xWord
Índice Libro "macOS Hacking" de 0xWordÍndice Libro "macOS Hacking" de 0xWord
Índice Libro "macOS Hacking" de 0xWord
Telefónica
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Chema Alonso
 
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
Some dirty, quick and well-known tricks to hack your bad .NET WebAppsSome dirty, quick and well-known tricks to hack your bad .NET WebApps
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
Telefónica
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Chema Alonso
 
Índice del libro "Hacking Web Technologies"
Índice del libro "Hacking Web Technologies"Índice del libro "Hacking Web Technologies"
Índice del libro "Hacking Web Technologies"
Telefónica
 
DirtyTooth: It´s only Rock'n Roll but I like it
DirtyTooth: It´s only Rock'n Roll but I like itDirtyTooth: It´s only Rock'n Roll but I like it
DirtyTooth: It´s only Rock'n Roll but I like it
Telefónica
 
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
Telefónica
 
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Telefónica
 
Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql Habilitacion de Autentificaion de sql
Habilitacion de Autentificaion de sql
KevinFD
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
RootedCON
 
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQLHabilitar la Autenticación SQL y crear un nuevo usuario SQL
Habilitar la Autenticación SQL y crear un nuevo usuario SQL
narkamo3
 
LDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP InjectionLDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP Injection
Chema Alonso
 
Índice Libro "macOS Hacking" de 0xWord
Índice Libro "macOS Hacking" de 0xWordÍndice Libro "macOS Hacking" de 0xWord
Índice Libro "macOS Hacking" de 0xWord
Telefónica
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Chema Alonso
 
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
Some dirty, quick and well-known tricks to hack your bad .NET WebAppsSome dirty, quick and well-known tricks to hack your bad .NET WebApps
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
Telefónica
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Chema Alonso
 
Índice del libro "Hacking Web Technologies"
Índice del libro "Hacking Web Technologies"Índice del libro "Hacking Web Technologies"
Índice del libro "Hacking Web Technologies"
Telefónica
 
DirtyTooth: It´s only Rock'n Roll but I like it
DirtyTooth: It´s only Rock'n Roll but I like itDirtyTooth: It´s only Rock'n Roll but I like it
DirtyTooth: It´s only Rock'n Roll but I like it
Telefónica
 
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
DirtyTooth: It´s only Rock'n Roll but I like it [Slides]
Telefónica
 
Ad

Similar to Connection String Parameter Pollution Attacks (20)

fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
Rana sing
 
A Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web ApplicationsA Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web Applications
iosrjce
 
A017310105
A017310105A017310105
A017310105
IOSR Journals
 
A26001006
A26001006A26001006
A26001006
IJERA Editor
 
Attacks on web services need to secure xml on web
Attacks on web services need to secure xml on webAttacks on web services need to secure xml on web
Attacks on web services need to secure xml on web
cseij
 
Authentication and Authorization for User Roles and Device for Attack Detecti...
Authentication and Authorization for User Roles and Device for Attack Detecti...Authentication and Authorization for User Roles and Device for Attack Detecti...
Authentication and Authorization for User Roles and Device for Attack Detecti...
IRJET Journal
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerce
ijceronline
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
neirew J
 
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENTINTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
ijccsa
 
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
ijcisjournal
 
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
ijcisjournal
 
A hybrid technique for sql injection attacks detection and prevention
A hybrid technique for sql injection attacks detection and preventionA hybrid technique for sql injection attacks detection and prevention
A hybrid technique for sql injection attacks detection and prevention
IJDMS
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
Rana sing
 
A Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web ApplicationsA Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web Applications
iosrjce
 
A017310105
A017310105A017310105
A017310105
IOSR Journals
 
A26001006
A26001006A26001006
A26001006
IJERA Editor
 
Attacks on web services need to secure xml on web
Attacks on web services need to secure xml on webAttacks on web services need to secure xml on web
Attacks on web services need to secure xml on web
cseij
 
Authentication and Authorization for User Roles and Device for Attack Detecti...
Authentication and Authorization for User Roles and Device for Attack Detecti...Authentication and Authorization for User Roles and Device for Attack Detecti...
Authentication and Authorization for User Roles and Device for Attack Detecti...
IRJET Journal
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerce
ijceronline
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
Intrusion Detection and Marking Transactions in a Cloud of Databases Environm...
neirew J
 
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENTINTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
INTRUSION DETECTION AND MARKING TRANSACTIONS IN A CLOUD OF DATABASES ENVIRONMENT
ijccsa
 
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
ijcisjournal
 
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using...
ijcisjournal
 
A hybrid technique for sql injection attacks detection and prevention
A hybrid technique for sql injection attacks detection and preventionA hybrid technique for sql injection attacks detection and prevention
A hybrid technique for sql injection attacks detection and prevention
IJDMS
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
Ad

More from Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
Chema Alonso
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
Chema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
Chema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
Chema Alonso
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
Chema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
Chema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
Chema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
Chema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
Chema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
Chema Alonso
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
Chema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
Chema Alonso
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & Humility
Chema Alonso
 
CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
Chema Alonso
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
Chema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
Chema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
Chema Alonso
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
Chema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
Chema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
Chema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
Chema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
Chema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
Chema Alonso
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
Chema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
Chema Alonso
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & Humility
Chema Alonso
 

Recently uploaded (20)

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 

Connection String Parameter Pollution Attacks

  • 1. Connection String Parameter Pollution Attacks Chema Alonso1 , Manuel Fernandez1 , Alejandro Martín1 and Antonio Guzmán2 1 Informatica64, S.L. 2 Universidad Rey Juan Carlos 1 {chema,mfernandez,amartin}@informatica64.com, 2 [email protected] Abstract. In 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. The potential damage associated with this kind of threats, the total absence of background and the fact that the solution to mitigate these vulnerabilities must be worked together with programmers, systems administrators and database vendors justifies an in-depth analysis to estimate all the possible ways of implementing this technique. Keywords: Code injection attacks, connection strings, web application authentication delegation. 1 Introduction SQL injections are probably the most known injection attacks to web applications by abusing its database architecture. Many different approaches and techniques have been studied and analyzed so far, and the published results conclude that to prevent these attacks from being successful, development teams need to establish the correct filtering levels on the inputs to the system. In the case of the attack presented in this paper, responsibility lays not only on developers, but also on system administrators and database vendors. This attack affects web applications, but instead of abusing implementation flaws in the way database queries are crafted, which is the most commonly found scenario on other injection attacks, it abuses the way applications connect to the database. According to OWASP [1], in 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection attacks as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. This is the case for the so-called connection string parameter pollution attacks. Potential impact of this type of vulnerability and the total absence of background justify an in-depth analysis to estimate all possible attack vectors using this technique.
  • 2. This paper is structured is in three main sections. The first is this short introduction where the foundations of the connection strings and existing mechanisms for the implementation of web applications authentication will be introduce. Section two proposes a comprehensive study of this new attack technique, with an extensive collection of test cases. The article concludes briefly summarizing the lessons learned. 1.1 Connections Strings Connection strings [2] are used to connect applications to database engines. The syntax used on these strings depends on the database engine to be connected to and on the provider or driver used by the programmer to establish the connection. One way or another, the programmer must specify the server and port to connect to, the database name, authentication credentials, and some connection configuration parameters, such as timeout, alternative databases, communication protocol or encryption options. The following example shows a common connection string used to connect to a Microsoft SQL Server database: “Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd;” As the example shows, a connection string is a collection of parameters separated by semicolons (;), each parameter being a key-value pair. The attributes used in the example correspond to the ones used in the “.NET Framework Data Provider for SQL Server”, which is chosen by programmers when they use the “SqlConnection” class in their .NET applications. Obviously, it is possible to connect to SQL Server using different providers such as: - “.NET Framework Data Provider for OLE DB” (OleDbConnection) - “.NET Framework Data Provider for ODBC” (OdbcConnection) - “SQL Native Client 9.0 OLE DB provider” The most common and recommended way to connect a .NET based application and a SQL server, is to use the framework default provider, where the connection string syntax is the same regardless the different versions of SQL Server (7, 2000, 2005 and 2008). This is the one used in this article to illustrate the examples. 1.2 Web Application authentication delegation There are two ways of defining an authentication system for a web application: create an own credential system, or delegate it to the database engine. In most cases, the application developer chooses to use only one user to connect to the database. Seen from the database side, this database user represents the entire web application. Using this connection, the web application will make queries to a custom users table where the user credentials for the application are stored.
  • 3. Fig. 1. Common web application authentication architecture The web application is identified by a single database user with access to the entire application content in the database, thus it is impossible to implement a granular permission system in the database over the different object, or to trace the actions of each user in the web application, delegating these tasks to the web application itself. If an attacker is able to abuse some vulnerability in the application to access the database, the whole database will be exposed. This architecture is very common, and can be found in widely used CMS systems such as Joomla, Mambo and many others. Usually, the target of the attacker is to get the application users credentials from the users table in the database. The alternative consists in delegating the authentication to the database engine, so that the connection string does not contain a fixed set of credentials, but will use those entered by the application user and it is the database engine responsibility to check them. Database management applications always use this delegated authentication, so that the user connecting to the application will only be able to access and control those objects and actions for which he has permissions. With this architecture, it is possible to implement a granular permission system and to trace user actions in the database. Database engine Web application
  • 4. Fig. 2. Web application delegated authentication architecture. Both methods offer different advantages and disadvantages, apart from the ones already mentioned, which are outside the scope of this article. The techniques described in this paper will focus on the second environment: web applications with delegated authentication to the database engine. 2 Connection String Injection In a delegated authentication environment connection string injection techniques allow an attacker to inject parameters by appending them with the semicolon (;) character. In an example where the user is asked to enter a username and a password to create a connection string, an attacker can void the encrypting system by entering a password such as "pwd; Encryption=off", resulting in a connection string like: “Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off” When the connection string is populated, the Encryption value will be added to the previously configured set of parameters.
  • 5. 2.1 Connection String Builder in .NET Aware of this exploitation [3] of the connection strings, Microsoft included the “ConnectionStringBuilder” [4] classes on it's version 2.0 of the Framework. They are meant to create secure connection strings through the base class (DbConnectionStringBuilder) or through the specific classes for the different providers (SqlConnectionStringBuilder, OleDbConnectionStringBuilder, etc…), and they achieve this by allowing just key-value pairs for attributes and by escaping injection attempts. The use of these classes when creating a connection string would prevent the injections. However, not every developer or application uses them. 2.2 Connection String Parameter Pollution Parameter pollution techniques are used to override values on parameters. They are well known in the HTTP [5] environment but they are also applicable to other environments. In this example, parameter pollution techniques can be applied to parameters in the connection string, allowing several attacks. 2.3 Connection String Parameter Pollution (CSPP) Attacks As an example scenario to illustrate these attacks, a web application where a user [User_Value] and a password [Password_Value] are required is served by a Microsoft Internet Information Services web server running on a Microsoft Windows Server. The application user credentials are going to be used to create a connection string to a Microsoft SQL Server database as follows: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+; This connection string shows how the application is connecting to a Microsoft SQL Server database engine. Knowing this, and attacker can perform a Connection String Parameter Pollution Attack. The idea of this attack is to add a parameter to the connection string with the desired value, regardless of if it already was in the string or the value with which was set up. The component used by .NET applications to craft the connection string will use the value of the last occurrence of the parameter in the connection string. If the connection string has two parameters which key is "Data Source", the value used will be the one of the last of the two pairs, which allows the following CSPP attack vectors: 2.3.1 CSPP Attack 1: Hash stealing An attacker can place a Rogue Microsoft SQL Server connected to the Internet with a Microsoft SQL Server credential sniffer listening (In this exsmple CAIN [6] has been used). An attacker would perform a CSPP attack as follows: User_Value: ; Data Source = Rogue_Server
  • 6. Password_Value: ; Integrated Security = true Resulting in the following connecting string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true; The "Data Source" and "Integrated Security" parameters are being overridden so that the Microsoft SQL Server native drivers will use the last set of values ignoring the previous ones, and the application will try to connect to Rogue_Server with the Windows credentials it's running on, which can be either a system user or an application pool user. 2.3.1.1 Example 1: ASP.NET Enterprise Manager This tool is an abandoned and unsupported Open Source tool, but still being used by some hosting companies and some organizations to manage Microsoft SQL Server databases via a web interface. The official web site, which used to be aspnetenterprisemanager.com, is today abandoned, but the tool can be obtained from several other web sites like SourceForge [7] or MyOpenSource [8]. This tool is being recommended in a lot of forums as a good ASP.NET alternative to PHPMyAdmin [9], even though the last version was published on the 3rd of January of 2003. Fig. 3. CSPP in ASP.NET Enterprise Manager to steal the account information The results are collected on the rogue server where the database connection sniffer has been installed giving access to the LM Hash of the account.
  • 7. Fig. 4. Hash collected in the rogue server with Cain 2.3.2 CSPP Attack 2: Port scanning One of the valid parameters on a connection string is the port to connect to. An attacker can abuse an application vulnerable to this technique to network scan servers by trying to connect to different ports and see the error messages obtained: User_Value: ; Data Source =Target_Server, Target_Port Password_Value: ; Integrated Security = true This injection attack will result in the following connection string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Target Server, Target Port; Password=; Integrated Security=true; This connection string will ignore the first instance of the first "Data Source" parameter and will use the last one, meaning that the web application is going to try to connect to "Target Port" port on the "Target Server" machine. Observing the differences in the returned error messages, a port scan can be performed. 2.3.2.1 Example 2: myLittleAdmin and myLittleBackup The tools myLittleAdmin [10] and myLittleBackup [11] are commercial tools developed by myLittleTools [12]. Both tools are vulnerable to CSPP attacks up to versions myLittleAdmin 3.5 and myLittleBackup 1.6.
  • 8. Fig. 5. A connection can be established through port 80 to www.gooogle.com As shown in Fig. 5, when the port is listening (open) the error message obtained says that no Microsoft SQL Server is listening on it, but a TCP connection was established. Fig. 6. A connection cannot be established through the XX port to www.google.com When the port is closed, a TCP connection could not be completed and the error message is different. Using these error messages a complete TCP port scan can be run against a server. Of course, this technique can also be used to discover internal servers within the DMZ where the web application is hosted.
  • 9. 2.3.3 CSPP Attack 3: Hijacking Web credentials This time the attacker tries to connect to the database by using the web application system account instead of a user provided set of credentials: User_Value: ; Data Source =Target_Server Password_Value: ; Integrated Security = true These injected values will result in the following connection string: Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Target Server, Target Port; Password=; Integrated Security=true; This time is the "integrated security" parameter what is being overwritten with a "True" value. This means that the system will try to connect to the database with the system account which the tool is running with. In this case this is the system account used by the web application in the web server. 2.3.3.1 Example 3: SQL Server Web Data Administrator This tool is a project, originally developed by Microsoft, which was made free as an Open Project. Today, it is still possible to download the last version that Microsoft released on 2004 from Microsoft Servers [13] but the latest one, released on 2007, is hosted in the Codeplex web site [14]. The version hosted in Codeplex is secure to this type of attacks because it is using the ConnectionStringBuilder classes to dynamically construct the connection string. The version published on the Microsoft web site is vulnerable to CSPP attacks. The following screenshots show how it is possible to get access to the system using this type of attack. Fig. 7. Exploiting the credentials at the WEB Data Administrator In Fig. 7, the password value is: “; integrated Security=true”, as described previously.
  • 10. Fig. 8. Console access with the server account The attacker can log into the web application to manage the whole system. As shown in Fig. 9, this is because all users and network services have access to the server. Fig. 9. System account access grant. 2.3.3.2 Example 4: myLittleAdmin and myLittleBackup In mylittleAdmin and myLittlebackup tools, it is possible to check out the connection string used to get the access. Looking at it, the parameter pollution injected in order to obtain access to the system can be clearly seen.
  • 11. Fig. 10. CSPP in myLittleAdmin. Fig. 10 shows how the "Data Source" parameter, after the "User ID" parameter, has been injected with the localhost value. This parameter, "Data Source", is also the first one of the connection string. Their values are different but the one that is being used is the last one, i.e. the injected one. Same happens with the "Integrated Security" parameter that appears initially with the no value but then is overriden by the one injected in the password value with value yes, resulting in a total access to the server with the system account the web application is running as. Fig. 11. Querying the master..sysusers table. 2.3.3.3 Example 5: ASP.NET Enterprise Manager
  • 12. The same attack also works on the latest public version of the ASP.NET Enterprise manager, so, as can be seen in the following login form, an attacker can perform the CSPP injection to get access to the web application. Fig. 12. CSPP in ASP.NET Enterprise Manager login form. And as a result of it, full access can be obtained, just as can be seen in the following screenshot. Fig. 13. Administration console in ASP.NET Enterprise Manager. 3 Conclusions All these examples show the importance of filtering any user input in web applications. Moreover, these examples are a clear proof of the importance of maintaining the software updated. Microsoft released ConnectionStringbuilder in
  • 13. order to avoid these kinds of attacks, but not all projects were updated to use these new and secure components. These techniques also apply to other database engines such as Oracle databases, which allow administrators to set up Integrated security into the database. Besides, in Oracle connection strings it is possible to change the way a user gets connected by forcing the use of a sysdba session. MySQL databases do not allow administrators to configure an Integrated Security authentication process. However, it is still possible to inject code and manipulate connection strings to try to connect against internal servers not exposed to the Internet. In order to avoid these attacks the semicolon character must be filtered out, all the parameters sanitized, and the firewall be hardened in order to filter not only inbound connections but also prevent outbound connections from internal servers that are sending NTLM credentials to the internet. Databases administrator should also apply a hardening process in the database engine to restrict access by a minimum privilege policy. References 1. The Open Web Application Security Project, http://www.owasp.org 2. Connection Strings.com: http://www.connectionstrings.com 3. Ryan, W.: Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks, http://msmvps.com/blogs/williamryan/archive/2006/01/15/81115.aspx 4. Connection String Builder (ADO.NET), http://msdn.microsoft.com/en-us/library/ms254947.aspx 5. Carettoni L., di Paola S.: HTTP Parameter Pollution, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf 6. Cain: http://www.oxid.it/cain.html 7. ASP.NET Enterprise Manager in SourceForge, http://sourceforge.net/projects/asp-ent-man/ 8. ASP.NET Enterprise Manager in MyOpenSource: http://www.myopensource.org/internet/asp.net+enterprise+manager/download-review 9. PHPMyAdmin: http://www.phpmyadmin.net/ 10. myLittleAdmin: http://www.mylittleadmin.com 11. myLittleBackup: http://www.mylittlebackup.com 12. myLittleTools: http://www.mylittletools.net 13. Microsoft SQL Server Web Data Administrator: http://www.microsoft.com/downloads/details.aspx?FamilyID=c039a798-c57a-419e-acbc- 2a332cb7f959&displaylang=en 14. Microsoft SQL Server Web Data Administrator in Codeplex project: http://www.codeplex.com/SqlWebAdmin