This action might not be possible to undo. Are you sure you want to continue?
been avoide d. Introduction The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulne rability in one of the parameters used by the form on the website, which could p reviously be accessed at: http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offli ne] The hacker, known by the name "rEmOtEr", managed to deface Microsoft s page by tak ing advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter wa s not being filtered, thus it allowed the hacker to pass any type of crafted cod e directly to the database being used by this form. In addition, the hacker managed to discover table names and columns (data fields ) inside the database that was being retrieved and shown on the page this means that any text, or even code, that was inserted inside this column was then displ ayed on the page. Tasks performed by the hacker to view database passwords The following is a short reconstruction of some of the steps performed by the ha cker, to discover and exploit the SQL Injection vulnerability in the registratio n form, allowing him to view stored usernames and passwords in the system: 1. The parameters of the form were filled in with unusual characters (such as an d -- ) to see the reaction of the web site. These characters are usually filtered o ut because they are used in SQL as special commands to talk to a database. The parameters checked included: Visible inputs (textboxes, dropdown lists, etc..) in the form (POST method) Hidden inputs from the HTML source code of the page (POST method) Parameters used in the URL (GET method) 2. The URL of the website in this case makes use of the two interesting paramete rs eventID and v2: http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 In trying to manipulate the parameter v2, for example adding an apostrophe to it , gave the following response from the website: http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1
Upon seeing this error, two things can be confirmed: Server-Side error messages are ENABLED on the web server These are usually enabl ed only during development and testing so that any bugs, or in this case vulnera bilities, are discovered before going live. When the website goes live, server-s ide error messages are usually disabled so that no sensitive information is prov ided online. The parameter v2 is NOT being filtered for malicious characters/code This means that whatever this parameter contains, it will be passed to the SQL Server being
but the text just inserted into the database is displayed on the page. Once the hacker got to know the names of tables and columns.3.-The resulting page does not give an error this time.was sent with the v2 parameter where it was appen ded to the main SQL Query sent to database.4.-.co.aspx?eventID=p83968&v2=-1 union select 1.7 from users-- This was the SQL Command used for the v2 parameter to obtain the passwords: ster. 5.to the input of the v2 parameter in the URL: ster. which is always true (1=1).used without any filtering. .aspx?eventID=p83968&v2=1 havin g 1=1-- The result?? More database details were revealed! The table name MultivenueLists and some column names such as recordID and venueS tatus were revealed. from which the hacker understood more about the structure o f the database. He was helped further by the error messages being displayed on the p age. (Note: In Structured Query Language (SQL) columns are referred t o with the notation TABLE(dot)COLUMN which is why the columns are shown like Mul tivenueLists. by playing around with the SQL Commands passed through this parameter through trial and error.recordID) 4. and in this case it confused the SQL Server bec ause of a GROUP BY command producing the following error: http://www.username.6.3. he injected some text inside a specific column by adding a statement such as 1 update Multivenue Lists set venueStartDate= hacked by rEmOtEr . the hacker managed to obtain a list of user names and passwords from the system by guessing the names of two columns (userna me and password) and one table (users). which were used by the hacker to further extract and change data stor ed inside this database.2.aspx?eventID=p83968&v2=1 update MultivenueLists set venueStartDate= hacked by rEmOtEr . This long SQL error revealed a lot of important information about the underlying database.6.aspx?eventID=p83968&v2=-1 union select 1. This added a condition to the SQL Qu ery. 3.2. Using the UNION SELECT statement.password.uk/events/net/PreRegister. The SQL Command 1 having 1=1-. The hacker obtained more valuable information directly from the database.microsoft.7 from users 6.4. This was the SQL Command used for the v2 parameter to obtain the usernames: ster. Using a combination of queries with userID the hacker was able to determine w hich password belongs to which username.
you are able to scan every parameter on each and every form on your website.a part from a hacker willing to take a shot at a form hosted on a Microsoft websit e. Since this text has been replaced by the xhref link above by the hack er. this SQL injection vu lnerability could have been detected and fixed before the page went live. The use of an automated web application scanner also means that whoever performs the audit does not require any technical knowledge about web vulnerabilities. SQL Injection One of the parameters in the URL was being sent directly to the da tabase without being properly filtered before. About Acunetix Web Vulnerability Scanner . How to keep your website secure The larger the website the more complex it is to regularly check for vulnerabili ties on each page. i nstead only needs to run the application to scan the website and produce a vulne rability report. this took over the entire look of the page by loading the contents from the external host This is what the web page looked like as a result of this defacement: What lead to this defacement? There was a combination of two things that lead to this defacement happening . Using similar commands as those used to display his own text into the page. the hacker co uld get an idea of how the database was structured. so that the database processed the instructions to insert the defacement code into the database to deface the site. Using such a powerful. This wo uld of course cut on the complexity and time required to perform a security audi t on your website.com/remoter/css. This complexity can be overcome with the use of an automated web application sca nner such as Acunetix Web Vulnerability Scanner. This helped him into refinin g an SQL command. yet easy to operate tool.Tasks performed by the hacker to deface the page The following is a short reconstruction of some of the steps performed by the ha cker to discover and exploit the SQL Injection in the registration form: Once the hacker knew enough about how to inject his own code into the website s da tabase.1asphost. In doing so. he prepared a simple HTML page on a third party remote host to be used f or the attack. The hacked page on the Microsoft site was just a small part o f a much larger website which was overlooked a common result of manual security auditing. How could it have been prevented? The best way to prevent being hacked is to regularly check your website for vuln erabilities that can be exploited by hackers. Error Messages From the enabled SQL error messages on the website. the hacker inserted the following URL of the HTML website hosted at the third party remote host: <link xhref=http://h.css type=text/css rel=stylesheet> The form page on the Microsoft site is created in such a way. that it loads up a specific text from the database when a user browses on the page (typical of CMS Systems). This provided a channel for the h acker to talk directly to the database with the exact same rights as the connect ion from the web server and the database server. for hundreds of vulnerabilities in a fully automated way.
Bennieston More White Papers .SQL & PHP Security by Andrew J.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.