Thursday, June 24, 2010

The Common Probing

Event Details

Date
22 June 2010

POST Values
username: ' OR 1='1
password: ' OR 1='1

What we have here is a classic probe to determine if the login form is vulnerable to SQL injection or bypassing.

What the visitor was hoping for
The visitor was hoping that I am not sanitizing my inputs and thus when my SQL query is built it will allow him to bypass the login.

Example:
SELECT * FROM user WHERE username='[x]' AND password='[y]' LIMIT 1
Would become:
SELECT * FROM user WHERE username='' OR 1='1' AND password='' OR 1='1' LIMIT 1
This hopefully would allow him to log in as the first row in the user table.

How to prevent this
  • Sanitize your inputs (type-cast your numerics were possible)
  • Prepare your queries

If you are unsure on how to do this, I recommend reading up on SQL Injections Attacks.

What we know about the visitor
Any visit to your website will always provide you with a wealth of information about the visitor. By simply examining the IP address and the HTTP headers passed, we can normally determine a lot about the visitor.

Firstly we make a quick trip to a whois lookup tool and we find that the IP address belonged to the block assigned to Saudi Arabia (109.82.40.0 - 109.83.255.255). We now can make an educated guess where our visitor is located.

If you want something a bit more accurate, you can look at geoip location services such as MaxMind.

Now we'll dig through the HTTP headers.

HTTP_ACCEPT_LANGUAGE
This will let us know what is the preferred language of the visitor. In this case the preferred language is ar-SA. A quick lookup on a language code chart shows us that that denotes Arabic (Saudi Arabia).

HTTP_USER_AGENT
The HTTP_USER_AGENT header can provide us with more information that just what browser the person is using.

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; AskTbGOM2/5.7.0.231)

A quick visit to http://user-agent-string.info will give us a breakdown of the user agent string.

Browser Internet Explorer 8.0
OS Windows 7
Installed .NET Versions 2.0.50727, 3.5.30729, 3.0.30729
Office Suite Probably (Infopath v.2 MS Office Component installed)

HTTP_X_BLUECOAT_VIA
The visitor is going through a Bluecoat proxy. The value passed in this field is the proxy session for the visitor.

REMOTE_ADDR
This is often the IP address of the visitor. In this case it is the IP address of the Bluecoat proxy.

Threat level

Low

Course of Action

Add weight to visitors from Bluecoat proxies

(When I refer to weight, I'm talking about the weighting that is assigned to a request that determines whether the request is a hostile action and whether it should be blocked or reported).

No comments:

Post a Comment