All Content
At Black Hat DC, security researchers present a way to hack the connection between Web applications and the database, a method they call connection string parameter pollution.
Independent researcher Jose Palazon and Chema Alonso of security vendor Informatica64 unveiled a new attack at Black Hat DC that targets the connection between Web applications and databases. They call the attack a CSPP (connection string parameter pollution) attack. because it exploits insecure dynamic connection strings between databases and Web applications. The attack can potentially allow hackers to swipe user credentials and manipulate how the application should be authenticated.
“It is very common in Web control panels created to manage databases but also in some applications using the connection string as an authentication mechanism; in those environments Web application users are database users,” Alonso explained. “In that kind of application, if one or some of the parameters needed to construct the connection string are introduced by the user, and there is no a good security filter on them, then it's possible to inject new parameters or to overwrite the value of any of them in the connection string.”
A hacker can use this attack to point the Web application to any server and scan all DMZ servers or perform port scanning against any machine. Additionally, “if the attacker has valid credentials [he or she] then can connect the Web application to another internal, forgotten, test, or whatever database in the DMZ … [or] try different tricks, like adding the integrated security parameter and [trying] to get connected using the system account that the Web application is running on, or simply just to steal its hash.”
Read the entire eWEEK article here.
Be the FIRST to comment on this article!