Tuesday, August 16, 2011

GFIRST - Hacking Web Applications (Review)

Hacking Web Applications was a live action presentation that was given by McAfee. One of the first things that was discussed was the order of prominence for specific types of data that are attacked.

39% - structured data
34% - applications/web applications
16% - other
11% - unstructured data such as file servers

Resources like databases are more vulnerable because although they are structured, their configurations can vary greatly. They are like molding pottery and although may be simiar to others, they are each unique.

After years of user education, people still use very weak and insecure passwords. A recent study of 32 million passwords revealed that the three most popular passwords (in order) were:


There are traits and vectors of attacks that bear the highest value and return for the attacker.

These common elements include:

    High profile positions in a company such as a CFO, CIO, and CEOs
    Industries such as Oil and gas companies
    Common old unpatched vulnerabilities such as SQL injection
    Attacks come from "known malicious" sources such as China

The attack that was looked at was a SQLi (SQL injection) attack. A SQL injection (SQLi) attack is one that exploits the vulnerabilities in a web server database. These vulnerabilities allow the attacker to gain access to the database and give him/her the ability to read/extract, modify, or delete information.

It's interesting to note that SQL injection attacks are an old and preventable attack that essentially allow the successful attacker to control the database in question.

There are many different ways to formulate the attack, the most basic is to make the condition of the fields of a web form to be validated as being true statements.

Normally, when you go to a form and enter the information, that information is validated against the backend database and if shown to be true, returns a subsequent set of information.

In the most basic form of SQLi, information is inputted in a form that makes the database see the statement as true, thus providing access to the information.

When a condition is successfully met such as with entering  1' or '1'='1 in the user name field, the first record (user name) is returned. More on this in a subsequent post on SQLi

Mitigations of the attacks comes from validation, blacklisting and whitelisting of accounts, domains and countries.

No comments:

Post a Comment