It might be surprising to many project & product
managers that exploiting web applications does not necessarily require expert
knowledge. Attacks are often perpetrated by hobbyists with very simple means.
Here are two recent examples.
Attack I: SQL injection at Telegraph
results in 700,000 emails stolen
The Attack - On March 6th,
2009, a hacker used blind SQL injection to penetrate to the web site of The
Telegraph, a leading English daily paper. Based on reports, he or she was able
to gain access to about 700,000 email addresses on the site’s database.
Telegraph’s response can be found on their
blog.
Some Background – SQL
statements are generally used to retrieve, update and delete data against a web
application’s database. This is normally done behind the scenes and the results
are displayed to a user based on their authority level. This means that the
data is protected and access is granted on a selective basis.
Attack Explanation - Many web
applications provide some form of search capabilities where users can provide
their own filtering on the data the application might display. For example, a
filter to see only the records posted in 2009. If the application is not
secure, a hacker can potentially exploit this functionality. Rather than
supplying a value to filter upon, he might provide another SQL statement that
is then injected in to the SQL statement that the application uses to retrieve
data.
Attack Example – Let’s assume a
user only has access to the records of his department and to filter through the
records, he enters some criteria. He wants to see the latest records, so he
enters 2009 in the year range.
The application might attempt to execute the following
statement against the database: SELECT * FROM … WHERE …
AND Year = 2009
A hacker on the other hand, might try to trick the
application and enter the following into that same year range field: 2009 OR 1=1
The application, if not careful, might then execute the
following statement against the database: SELECT * FROM … WHERE
… AND Year = 2009 OR 1=1
This would potentially provide the user with access to all
the records in the system, even the ones to which they shouldn’t.
Attack II: Authentication Security Holes at
Sage
The Attack – Sage, a leading
provider of accounting software in the UK, was about to launch Sage Live, a small
business accounting product as SaaS (software as a service). However according
to ZDnet, Sage Live went dead
after serious security flaws were exposed in the product. The flaws were
exposed by the founder of a tiny rival. Duane Jackson, CEO of UK-based KashFlow,
described
what she found on her blog: “A little bit of prodding around the site and I
found myself looking at… pages that only authorized people should be seeing.”
Attack Explanation - Users
navigate to and though web applications by going from one URL address to
another, much like postal addresses point to residential homes and businesses.
As a result, users can easily change the URL and its parameters that can
potentially lead to pages and information that they wouldn’t ordinarily be
allowed to view.