Database Reference
In-Depth Information
In any case, the attacker will be looking for a response from your service—the more elab-
orative the better. Ideally, a complete error stack trace is what the attacker is dreaming of
(an entire unhandled SOAP error with
faultString
is good enough), but in fact, any
piece of information is welcome. Needless to say that the biggest portion of this informa-
tion will be provided by your Error Handlers (EH) at all levels; therefore, vulnerabilities
in EH design shall be discussed first.
It would be a mistake to think that the standard HTTP response or no response at all will
considerably improve the overall security. Blind-type injection is one of the most difficult
injections for attackers, but it is still quite able to deliver results and standard responses
can be mapped to attack types and they are informative enough.
Surely our goal is to make the attacker's life hard, but our developers and operation will be
proportionally affected as the Discoverability principle is sacrificed.
Error handling vulnerability analysis
Here, we will combine the most common error handling vulnerabilities, allowing attackers
to explore your line of defense and collect all the necessary technical information about
your services for further steps, aiming at authentication/authorization weaknesses. The
methods are quite obvious:
• Study exposed contracts and/or intercept valid messages (being a passive interme-
diary or eavesdropping).
• Check the message for potential cryptographic nonce, constructed as the concat-
enation of random string and timestamp and used once per message. If the mes-
sage contains additional information regarding the valid time range (for instance,
return_acknowledge_till<…>
), try to resend the message (as an active
intermediary) within this interval. Interestingly enough, it's not that rare that for
an
add<something>
operation, the attacker gets a message acknowledging the
error, with
faultString
containing the primary key violation along with the
constraint name, table name, and some additional information about DB itself.
• The presence of a nonce technically means that the message is signed (HMAC-
SHA or older MD5); otherwise, this composite nonce doesn't make any sense.
Here the attacker has two options: it's quite possible that a small clock synchron-
ization interval can be maintained between the involved systems, potentially al-
lowing reply attacks. If the weak hash algorithm is used, the attacker can exploit
it by using brute force or a collision technique (MD5,
evilize
library; for an
example by Peter Selinger, see
http://www.mathstat.dal.ca/~selinger/md5colli-
Search WWH ::
Custom Search