Two security researchers unveiled a new attack at Black Hat DC that targets the connection between Web applications and databases.
Independent researcher Jose Palazon and Chema Alonso of security vendor Informatica64 presented their finding, which they called a CSPP (connection string parameter pollution) attack, at the Black Hat DC conference held Jan. 31 to Feb. 3. The attack exploits insecure dynamic connection strings between databases and Web applications and potentially allows hackers to swipe user credentials and manipulate how the application should be authenticated.
“It is very common in Web control panels created to manage databases but also in some applications using the connection string as an authentication mechanism; in those environments Web application users are database users,” Alonso explained. “In that kind of application, if one or some of the parameters needed to construct the connection string are introduced by the user, and there is no a good security filter on them, then it’s possible to inject new parameters or to overwrite the value of any of them in the connection string.”
A hacker can use this attack to point the Web application to any server and scan all DMZ servers or perform port scanning against any machine, he explained.
“Of course, if the attacker has valid credentials [he or she] then can connect the Web application to another internal, forgotten, test, or whatever database in the DMZ … [or] try different tricks, like adding the integrated security parameter and [trying] to get connected using the system account that the Web application is running on, or simply just to steal its hash.”
The duo tested the attack against several products, including MyLittleAdmin and ASP.NET Enterprise Manager, and notified vendors of their findings.
Connection string attacks are very similar to SQL injections in that they rely on a lack of good security filtering, Alonso explained. Stating that it is even easier for an attacker to exploit a connection string vulnerability than a SQL injection bug, he added that developers need to take the issue seriously.
“It’s important to filter all the user input, but also replace the old [database] connection components in .NET to use the not-so-new ConnectionStringBuilder,” Alonso said. “This object is available in .NET 2.0 and it’s secure against these types of attacks.”
With that in mind, the two created a free scanner to help security staff test enterprise account policies for Web servers and application pools.
“This tool looks for SQL Servers and then tries to get connected using the integrated security set on true,” he said. “This means the ASPX is going to try to get access using the system’s account [that] the application is running on. If the company’s account policy hasn’t been hardened, then [it can] probably get a connection to some database.”
The scanner is available here.