Gotcha! Implementing Security Layers - Applied SOA Patterns on the Oracle Platform

Database Reference

In-Depth Information

If that doesn't work, you can identify the number of columns first using a union-based

technique, such as UNION , SELECT ALL , 1 , 2 , 3 ... N , where N is the number of columns

and you have to try it N times (just some guess work). After that, you can start replacing

the numbers with possible column names and watch the response. A lot of the previously

mentioned hacking tools can do this for you.

Blind injection is the hardest because all that you can simulate usually is how quick the

blank error page (404, or whatever) will be returned. So, it's basically just "Yes" or "No";

however, with some persistence, that would be enough. The sqlmap.org site uses blind in-

jection, so it will help you in the hardest cases.

For an attacker (or you, if you pentest your security perimeter), life is a bit more complex

than breaking into a WebGoat site and the actual REST injection query string could con-

tain something like the following code (depending on DB and its version) as well as 200

more characters, presenting conditional branching, redirecting, and calls for recreation of

the earlier deleted xp_cmdshell stored procedure. (Yes! It can be restored by SQL in-

jection in the REST service query!):

...OPENROWSET('SQLOLEDB',";'sa';'<password>','select 1;

DECLARE@resultint,@OLEResultint, .... EXECUTE

@OLEResult=sp_OACreate "WScipt.Shell", ......

"CreateObject%0X",...

An attacker can change the privileges, call standard packages, or stored procedures

(Oracle or MS SQL). Even using a blind injection, it is possible to extract a sys password

and the current service account into the DBA group.

We will touch upon countermeasures in the following section, but while we are in the at-

tacker's shoes, we will briefly explain how they can be dodged:

1. If the REST/SOA API is used in a web app and the user data entered is sanitized

by JavaScript before the API ... no, we are not going to discuss it, it's just too

easy!

2. If the first point is clear, then the defender will establish the already mentioned

Service Perimeter Guard with the secure perimeter's SOA Message Screening pat-

tern. The first move is to maintain the black list and to look at the 1=1 signatures.

Where is the enforcement point? Equal sign? So, is this the numeric filtering with

"<,>,!=" , yes? How about like instead? What about 2=2; or 3>1; or

/**/2/**/=/**2 ? We can go for miles with such tricks, but we will save you

time and head straight to the sad truth: the signature-based IDS will catch only

Search WWH ::

Custom Search

Home