At Black Hat DC, security researchers present a way to hack the connection between Web applications and the database, a method they call connection string parameter pollution.
Two security researchers unveiled a new attack at Black Hat DC that
targets the connection between Web applications and databases.
Independent researcher Jose Palazon and Chema Alonso of security vendor
Informatica64 presented their finding, which they called a CSPP (connection string
parameter pollution) attack, at the Black Hat DC
conference held Jan. 31 to Feb. 3. The attack exploits insecure dynamic
connection strings between
databases and Web applications
and potentially allows hackers to swipe user
credentials and manipulate how the application should be authenticated.
"It is very common in Web control panels created to manage databases
but also in some applications using the connection string as an authentication
mechanism; in those environments Web application users are database users,"
Alonso explained. "In that kind of application, if one or some of the
parameters needed to construct the connection string are introduced by the
user, and there is no a good security filter on them, then it's possible to
inject new parameters or to overwrite the value of any of them in the
A hacker can use this attack to point the Web application to any server and
scan all DMZ servers or perform port scanning against any machine, he
"Of course, if the attacker has valid credentials [he or she] then can
connect the Web application to another internal, forgotten, test, or whatever
database in the DMZ ... [or] try different tricks, like adding the integrated
security parameter and [trying] to get connected using the system account
that the Web application is running on, or simply just to steal its hash."
The duo tested the attack against several products, including MyLittleAdmin
and ASP.NET Enterprise Manager, and notified
vendors of their findings.
Connection string attacks are very similar to SQL injections in that they
rely on a lack of good security filtering, Alonso explained. Stating that it is
even easier for an attacker to exploit a connection string vulnerability than a
SQL injection bug, he added that developers
need to take the issue seriously.
"It's important to filter all the user input, but also replace the old
[database] connection components in .NET to
use the not-so-new ConnectionStringBuilder," Alonso said. "This
object is available in .NET 2.0 and it's
secure against these types of attacks."
With that in mind, the two created a free scanner to help security staff
test enterprise account policies for Web servers and application pools.
"This tool looks for SQL Servers and then tries to get connected using
the integrated security set on true," he said. "This means the ASPX
is going to try to get access using the system's account [that] the application
is running on. If the company's account policy hasn't been hardened, then [it
can] probably get a connection to some database."
The scanner is available