Securing ASP.NET Applications
page 2 of 5
by Gil Shabat
Average Rating: 
Views (Total / Last 10 Days): 30978/ 108

Attacks Are Easier Than You Might Think

It might be surprising to many project & product managers that exploiting web applications does not necessarily require expert knowledge. Attacks are often perpetrated by hobbyists with very simple means. Here are two recent examples.

Attack I: SQL injection at Telegraph results in 700,000 emails stolen

The Attack - On March 6th, 2009, a hacker used blind SQL injection to penetrate to the web site of The Telegraph, a leading English daily paper. Based on reports, he or she was able to gain access to about 700,000 email addresses on the site’s database. Telegraph’s response can be found on their blog.

Some Background – SQL statements are generally used to retrieve, update and delete data against a web application’s database. This is normally done behind the scenes and the results are displayed to a user based on their authority level. This means that the data is protected and access is granted on a selective basis.

Attack Explanation - Many web applications provide some form of search capabilities where users can provide their own filtering on the data the application might display. For example, a filter to see only the records posted in 2009. If the application is not secure, a hacker can potentially exploit this functionality. Rather than supplying a value to filter upon, he might provide another SQL statement that is then injected in to the SQL statement that the application uses to retrieve data.

Attack Example – Let’s assume a user only has access to the records of his department and to filter through the records, he enters some criteria. He wants to see the latest records, so he enters 2009 in the year range.

The application might attempt to execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009

A hacker on the other hand, might try to trick the application and enter the following into that same year range field: 2009 OR 1=1

The application, if not careful, might then execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009 OR 1=1

This would potentially provide the user with access to all the records in the system, even the ones to which they shouldn’t.

Attack II: Authentication Security Holes at Sage

The Attack – Sage, a leading provider of accounting software in the UK, was about to launch Sage Live, a small business accounting product as SaaS (software as a service). However according to ZDnet, Sage Live went dead after serious security flaws were exposed in the product. The flaws were exposed by the founder of a tiny rival. Duane Jackson, CEO of UK-based KashFlow, described what she found on her blog: “A little bit of prodding around the site and I found myself looking at… pages that only authorized people should be seeing.”

Attack Explanation - Users navigate to and though web applications by going from one URL address to another, much like postal addresses point to residential homes and businesses. As a result, users can easily change the URL and its parameters that can potentially lead to pages and information that they wouldn’t ordinarily be allowed to view.

View Entire Article

User Comments

Title: Good Job   
Name: Swapon
Date: 2009-12-01 11:45:31 PM
Really nice article.Well done.But it would be nice if you give the complete example with code.
Title: Good work   
Name: phani
Date: 2009-05-09 6:42:43 AM
Its really nice article but it would have been more effective if you have explained the measures to be taken elaboratively.
Title: Nice work!   
Name: Chama
Date: 2009-05-01 1:11:53 PM
I love this article. Nice work dude!
Title: s   
Name: Ajay
Date: 2009-04-29 12:23:46 AM
Excellent stuff!

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024  |  Page Processed at 2024-05-29 11:01:37 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search