May 2

On shared web servers it is usually a good idea to encrypt your connectionstrings element as your web.config may be world readable depending on application pool identities, IUSR identities, and the machine.config trust level. You can do this with the aspnet_regiis utility (errr, your host can do it). Open up a command prompt, change directory to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 and run the following:

The first command encrypts; replace domain.com with your site name in IIS and the -app switch should be followed by the application name, in this case the webroot:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pe connectionStrings -app / -site domain.com
Encrypting configuration section…
Succeeded!

The second and third commands grant read access to the key for decryption. This permission needs to be granted to ASPNET and your application pool identity. The value following the -pa switch can be found in the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config where the RSAProtectedConfigurationProvider name is defined :

<add name="RsaProtectedConfigurationProvider"......keyContainerName="NetFrameworkConfigurationKey"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”
Adding ACL for access to the RSA Key container…
Succeeded!

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa “NetFrameworkConfigurationKey” “NETWORK SERVICE”
Adding ACL for access to the RSA Key container…
Succeeded!

Original:

<connectionStrings> <add name="stringname" connectionString="Data Source=SERVER;Initial Catalog=database;Persist Security Info=True;User ID=login;Password=password" providerName="System.Data.SqlClient" /> </connectionStrings>

Encrypted (partially truncated):

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>pb74wqH93ZDjJNrHSkRqBJKxvq4eS4MDq+vF2RvWZSFhXBkgBcS...tWmHYi8=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>KY4ESXL95+AtOAu3QRBURO5ij6GKTUDmosRcQ2YzOGtt8mLGs0wJLONl0i1mA...qJioHKV0tOl3Y=</CipherValue> </CipherData> </EncryptedData> </connectionStrings>

That’s it

Apr 12

The most commonly used entry method for web applications today is through SQL injection. Anyone with just a little knowledge of SQL syntax can obtain vital information from a business or inject malicious code to be rendered when anonymous users visit a page. The purpose of the following article is to educate developers and administrators of the security vulnerabilities that may exist in their publicly accessible web sites.

Example:
http://jw0rd.com/test2.cfm?id=1

A basic database driven ColdFusion page that uses the URL parameter ‘id’ in a SQL SELECT statement. This is what the output of the page is supposed to look like:

correct

The coding on this page selects a record from the ‘articles’ table where id = #URL.id#

select * from articles where id = #URL.id#

It then outputs the title, category, and article fields for that row where id = #URL.id#. Like a lot of poorly coded web applications there is no sanitation on the URL parameter ‘id’, so lets alter the SQL statement and add a UNION.

URL encoding – http://www.w3schools.com/TAGS/ref_urlencode.asp
%20 = [space]
%27 = ‘

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,%27%27,login,password%20from%20admin

The full SQL statement is now:
select * from articles union select 1,'',login,password from admin

The output on the page is now two records, one from the articles table and one from the admin table.

oops

Now let’s add a select on @@version to determine the version of SQL the database server is running and also SYSTEM_USER to see if its possibly using a high privileged SQL account such as ’sa’.

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,@@version,SYSTEM_USER,%27%27%20from%20admin%20order%20by%20title

The full SQL statement is now:
select * from articles union select 1,@@version,SYSTEM_USER,'' from admin order by title

oops2

Now that you get the idea of how to exploit through SQL injection how do you prevent it? ALL variables that can be POST’d or GET’d from an anonymous user need to be sanitized. For our ColdFusion example above the use of the ‘cfqueryparam’ tag will get the job done -> http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html

Original, vulnerable SQL Statement in test2.cfm:

select * from articles where id = #URL.id#

Updated, secure SQL statement:

select * from articles where id = <cfqueryparam value="#URL.id#" CFSQLType = "CF_SQL_INTEGER">

Now that we are forcing that variable to be of type integer lets try to inject a SQL statement again.

good

SQL injection is no longer possible through the ‘id’ parameter:

Invalid data 1 union select 1,”,login,password from admin for CFSQLTYPE CF_SQL_INTEGER.

Another security risk is the raw ColdFusion error that displays a snippet of our code to an anonymous user. Setting up custom error handling so that is not seen is always a good idea but is an entirely different subject.

Hopefully I will have some extra time soon to post a similar article related to basic MySQL injection techniques.

Hosted by HostMySite.com