Database Reference
In-Depth Information
(Perl) prove to be handy. If you need something for all occasions, Burp Suite is an obvi-
ous choice and you will learn a lot about injection attack patterns and much more. Talking
about injections, specifically with proxy assistance, look at the following list:
• paros
• w3af
• sqlmap
• wpoison
We are sure that you will find more, but at the time of writing this, these were active and
quite helpful. Still, if you are going to use them as a verification tool, remember that they
do not cover all three types of injections and you have to do a lot of manual work to
identify service weaknesses (we will not go into the basics of injection as it's not the sub-
ject of this chapter).
So an attacker gets the error message (or whatever—system silence is also a message).
The injection point is identified. The next step is to identify what type of data is behind.
That's simple, because your XSD will clearly say that. If not, it is not that difficult to learn
after a series of reply attacks. Why is it important? Because attackers will learn, should
they use a single quote for
1=1
, and the type of evasion technique will be necessary to by-
pass signature scanners at the Security Gateway:
…>id=1 having 1=1... or …>id=X' having 1=1 …
An attacker wants your data. Thus, union-based constructs will be used along the way. If
your service stays passive, the last resort is blind injection.
What's important here is that this technique is almost identical for REST, SOAP, or
command-line (direct) attacks in terms of construction of the injection syntax. In REST,
you (or the attacker) can use the following:
http://[victim_site]/[victim_resource_page]?id=1%20or%20
1=convert(int,(CREDITCARD_NUM))
If error messages are on, the system will respond with an error saying that the conversion
to
int
failed, but it will give you (or the attacker) the actual column name. So, you can
collect all the column names from the REST service DB (guesswork here is exceedingly
easy).
Search WWH ::
Custom Search