Parameter Pollution in Connection Strings Attack

March 10, 2010 (at 2:30 p.m.) in Attack & Research

This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are specially dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Connection strings allows applications to connect against databases. This connection can be constructed dynamically in some special tools, such as management tools or control panels in hosting systems. Connection String Parameter Pollution attacks allow attackers to duplicate the value of some parameters to change the connection behavior, the target server and the security authentication protocol. These attacks could allow attackers to get access to internal databases, get access to web applications without credentials in Microsoft SQL Server and Oracle databases or steal web server user credentials. At the end, after demonstrating all this attack vectors this session will give some security recommendations in order to avoid this risk in web hosting companies.

Chema Alonso

Chema Alonso, is one of the most prominent names regarding Computer Security and hacking in the world. Ph.D in Information Security, Computer and Systems Engineer, he graduated from Universidad Politécnica de Madrid where he was honored as Ambassador. He has been awarded as a Most Valuable Professional in Enterprise Security by Microsoft. Before getting into Telefonica to manage the new innovative company “Eleven Paths” focus in creating security technologies, he was working Informatica64 to create FOCA, Evil FOCA, Dust RSS, or publishing hacking papers such as Connection String Parameter Pollution or Blind LDAP Injection Techniques.