Connection String Parameter Pollution Attacks

[Nytro]

Connection String Parameter Pollution Attacks

Chema Alonso1, Manuel Fernandez1, Alejandro Martín1 and Antonio Guzmán2

Informatica64, S.L.

Universidad Rey Juan Carlos

{chema,mfernandez,amartin}@informatica64.com, antonio.guzman@urjc.es

Abstract

In 2007 the ranking of the top ten critical vulnerabilities for the

security of a system established code injection as the top 2, closely following

top 1 XSS attacks. The first release candidate of the 2010 version of the ranking

has promoted code injection attacks to top 1. Actually, the most critical attacks

are those that combine XSS techniques to access systems and code injection

techniques to access the information. The potential damage associated with this

kind of threats, the total absence of background and the fact that the solution to

mitigate these vulnerabilities must be worked together with programmers,

systems administrators and database vendors justifies an in-depth analysis to

estimate all the possible ways of implementing this technique.

Keywords: Code injection attacks, connection strings, web application

authentication delegation

1 Introduction

SQL injections are probably the most known injection attacks to web applications by abusing its database architecture. Many different approaches and techniques have been studied and analyzed so far, and the published results conclude that to prevent these attacks from being successful, development teams need to establish the correct filtering levels on the inputs to the system.

In the case of the attack presented in this paper, responsibility lays not only on developers, but also on system administrators and database vendors. This attack affects web applications, but instead of abusing implementation flaws in the way database queries are crafted, which is the most commonly found scenario on other injection attacks, it abuses the way applications connect to the database.

According to OWASP [1], in 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection attacks as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. This is the case for the so-called connectionstring parameter pollution attacks. Potential impact of this type of vulnerability and the total absence of background justify an in-depth analysis to estimate all possible attack vectors using this technique.

This paper is structured is in three main sections. The first is this short introduction where the foundations of the connection strings and existing mechanisms for the implementation of web applications authentication will be introduce. Section two proposes a comprehensive study of this new attack technique, with an extensive collection of test cases. The article concludes briefly summarizing the lessons learned.

Download:

http://www.exploit-db.com/download_pdf/17254