justinclarke.com

Another Couple of Great Reviews of SQL Injection Attacks and Defense

2009-10-27T21:32:21Z

A couple of good reviews of SQL Injection Attacks and Defense have been posted to Amazon recently (both 5 stars). Firstly we have a review from Chris Gates which gives a good balanced review of the book and points out some things he'd have liked to see. I agree with all of the points, and if we ever get a chance to do a second edition, we can add those on the todo list.

Second and most recent was a review from Richard Bejtlich who was also very positive about the book and mentioned it may be in the running for his "best book of 2009"!.

Review of SQL Injection Attacks and Defense on Help Net Security

2009-09-23T09:25:23Z

Just noticed a very complimentary review of SQL Injection Attack and Defense at Help Net Security this morning. Will have to remember to pass a link to this onto the author team :-)

On a related note, I met Mirko from Help Net Security at BruCon in Brussels, but didn't manage to get an interview sorted out. There is a link to a previous email interview we did from the book review above...

SQL Injection used in Heartland, 7-Eleven and Hannaford Breaches

2009-09-01T20:17:32Z

This is a repost from the original on the GDS Security Blog

Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.

So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users - all too often though, some of this functionality can be abused by malicious individuals.

Making some assumptions, its likely that something like the following occurred:

It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.

These types of hybrid attacks where one type of attack is dovetailed or launched over another are becoming increasingly common. Another SQL Injection hybrid attack of recent note was the SQL Injection mass attacks that started in early 2008. These used SQL Injection in another way - to inject links to JavaScript malware into thousands of unsuspecting vulnerable sites. It just goes to prove that even if a vulnerability is over 10 years old, it still has some new tricks to be seen.

SQL Injection Attacks and Defense

2009-02-24T22:15:54Z

I now realise that I last posted on the topic of a forthcoming book in October last year. Well, the book has now gone to production and should be hitting the shelves in May of 2009. For those of you who haven't been denial-of-serviced with my LinkedIn status updates on the progress of the book, its called "SQL Injection Attacks and Defense", from Syngress.

I'm very happy with the great team of folks I managed to pull together for the book. The author list is as follows (in alphabetical order):

Justin Clarke - i.e. me
Dave Hartley - author of Bobcat
Joe Hemler - colleague and fellow contributing author to Network Security Tools
Alexander Kornbrust - CEO of Red Database Security and Oracle security guru with hundreds of Oracle bugs to his name
Rodrigo Marcos - author of TAOF
Haroon Meer - Technical Director at Sensepost, and well known speaker and researcher
Gary Oleary-Steele - author of Automagic SQL Injector
Alberto Revelli - author of sqlninja
Marco Slaviero - primary author of Squeeza
Dafydd Stuttard - AKA Portswigger, author of Burp Suite and the Web Application Hackers Handbook

Hopefully we'll be able to see the proofs in the next couple of weeks, and see what the production folks have done with the 520-odd pages of code-heavy goodness we sent them :-)

Upcoming speaking bookings

2008-10-18T23:30:29Z

Quick note - I'm currently confirmed for the following speaking engagements. If anyone is attending any of these and wants to catch up, drop me an email.

Another forthcoming book

2008-10-18T23:25:21Z

Quick announcement - looks like I'll have another forthcoming book coming out early next year - I have the contract from Syngress sitting on my dressing table right now.

More details to come (like what the book is on, who's involved in the project etc) will be forthcoming early next month as I have to get the full book outline completed first. What I will tell you all is it's a single topic book, is going to be very technical, and I have some great contributing authors lined up for it :-)

Blackhat followup

2008-10-18T23:16:22Z

Random followup - I found a photo of myself taken while I was onstage in Vegas (this is from the Armorize blog I think?). I find it amusing I can almost read my t-shirt - "I am Jack's Overwritten Stack Pointer...". That one is from Defcon 9 or 10 I think :-)

The E&Y Alumni Blackhat?

2008-05-21T15:55:03Z

As some of you may be aware, I used to work for the Ernst & Young Advanced Security Center in New York (and in Houston before that). Having a quick look at the speakers list for Blackhat in Las Vegas as they are confirmed it amused me that so many of the old E&Y ASC crew are represented in the speakers list:

Nitesh Dhanjani (although I don't think you could call Nitesh an alumni anymore... here is a link to his blog
Brian Holyfield, who is also at Gotham Digital Science
Nate McFeters - you can find his blog here
Billy Rios - his blog is here
Kevin Stadmeyer
And of course, me

Still alive and kicking...

2008-05-16T18:53:36Z

I got an email this morning (and a comment on an IM conversation a week ago) that has continued to remind me that I've been neglecting this blog. So I thought I'd pen a quick update to let everyone know whats going on and coming up.

First of all, I got my turbo talk to Blackhat USA in Las Vegas accepted, so I'll be speaking there again for the first time since 2004. The paper is called "SQL Injection Worms for Fun and Profit", and appears to be even more timely than I expected when submitting it considering what is still an ongoing problem. I'll be in Vegas for both Blackhat and Defcon if anyone wants to plan a catch up.

On other news, I've made little progress on rewriting SQLBrute in .NET due to a lack of time. I am, however, going to release SQLBrute 1.1 in Python in the not too distant future - I'm adding Sybase support, and cleaning up a few of the routines. Also, check out the port of Microsoft's AntiXSS library to Java - you can check it out on the GDS Tools page.

Thats all for now - more news and happenings soon!

Beating phishers at their own game

2008-02-04T21:38:46Z

A couple of old colleagues of mine, Billy Rios and Nitesh Dhanjani (who I wrote "Network Security Tools" with) have been up to some interesting research into the wide spread and pervasive phishing problem.

Check out Nitesh's site, or Billy's site, check out the interview they did with Help Net Security, and see them talk about it at Black Hat Federal 2008 in DC on the 20th of February.

SQLBrute has a new home

2007-11-12T12:26:48Z

A quick note - I am moving the downloads of SQLBrute (and in time, all of my tools) to the Gotham Digital Science tools page, so that we centralise downloads of all of our tools.

Although there isn't a lot there at the moment, we're going to be putting up a lot of tools we've been working on as time permits.

Gotham Digital Science blog launch, site redesign

2007-11-11T12:18:31Z

We have finally finished revamping the Gotham Digital Science website. New stuff includes the GDS Blog (as well as related RSS/Atom feeds), as well as a GDS tool download page.

Check out the blog for interesting technical content, including lessons learned and tips from our source code review/application vulnerability remediation work, as well as for some of the tools we'll be releasing in the coming weeks.

German anti-hacker law bites hard

2007-08-21T10:47:00Z

The recent change to German law to implement the EU Framework Decision on Attacks against Information Systems (enacted in Paragraph 202c of the German Penal Code) has caused many security researchers based in Germany to look to move elsewhere, or to remove previously available research findings.

The change in the law, which went into effect on August 10, criminalises the production, distribution, possession, and sale of tools that can be used to commit cybercrimes. Unfortunately, a strict interpretation of the changes would make possession of tools that could be used maliciously (such as nmap or Nessus for instance) illegal. While in reality, legal opinions are that the courts would differentiate between a cracker and a security researcher based on their intent, noone (unsurprisingly) seems to want to be the first test case.

The content for a number of projects have all but disappeared, such as the recent Month of PHP bugs, and the well known THC (The Hackers Choice) group, as well as smaller projects such as BtCrawler. Others are saying farewell to Germany and reestablishing themselves elsewhere such as the KisMac wifi scanner for OSX and the Phenoelit group.

All in all a hard strike against a country which has produced much valuable security research and expertise.

Running Nessus 3 on Windows XP

2007-08-06T12:10:07Z

I recently had reason to spend a while working with Nessus on Windows XP (Service Pack 2). Usually, I use a Nessus Server running on Linux, either running locally if I am onsite, or one installed on our company infrastructure for scanning from the Internet. In fact, you read the documentation don't you?, Tenable specifically recommends in the Nessus Installation Guide that you _not_ run Nessus on XP, and instead use a Windows Server product, such as Windows Server 2003.

The reason for this is that in Windows XP Service Pack 2, Microsoft introduced a number of Network Protection Technologies for mitigating the spread of malware. One of these limits the number of simultaneous incomplete outbound TCP connection attempts to 10, with additional attempts being queued and potentially dropped. This impacts the reliability of at least port scanning, and possibly other security checks.

Unfortunately the scenario I was working with required me to be running Nessus through a VPN client (never ideal), in reality requiring me to be on XP. Tenable does, however, have some recommendations for running Nessus as reliably as possible on XP:

Max number of hosts: 10
Max number of security checks: 4
Max number of packets per second for port scan: 50

The maximum hosts/security checks setting is standard in all of the Nessus clients I've used, however the packets per second setting seems to only be available within the client shipped with the Windows Nessus server. If you, like me, are using the new NessusClient 3.0 beta for Windows, you need to make the following change to the Nessus server's configuration to ensure that 50 is the default value:

Go to the "config" directory in your Nessus server installation. By default this is C:\Program Files\Tenable\Nessus\config
Open config.default.xml for editing - just use Notepad if you don't have an XML editor
Find the SYN Scan:Max number of packets per second for port scan node, and edit the value (the CDATA bit) from 500 to 50

This value should now be the default for all new scans.

This worked well for me, however needless to say that running a Nessus scan in VMWare (slowdown factor one), over a VPN link (slowdown factor two), over a transatlantic Internet connection (slowdown factor three), the scan took quite a while to complete...

Using proxy servers with SQLBrute

2007-07-31T18:21:21Z

Daniel Cuthbert commented about adding proxy server support to SQLBrute. Well, a nice (and perhaps a little obscure) feature of urllib2 (which SQLBrute uses to send HTTP requests) is that you get HTTP proxy support out of the box. All you need to do is set your environment to point to the server, either by setting the http_proxy environment variable to point to your proxy, or (on Windows) by setting Internet Explorer to point to your proxy.

If setting the environment variable, on the Windows command line you can do this:

set http_proxy=myproxy:8080

Which should point it to your proxy. The same works for Unix/Linux with whatever export or set command is relevant for your shell.

The proxy support in urllib2 doesn't support authentication so if you have a proxy with authentication you might want to chain SQLBrute through your favourite local proxy (i.e. Burp, Paros etc) and have that handle the authentication for you. Enjoy!