December 30, 2009

Over 32 million accounts have been compromised (the result of an attack on the site)

It was discovered that the hacker under the pseudonym "igigi" managed to compromise the database of users of the web site via classical SQL Injection exploitation. The portal offers various services to social networks such as Facebook and MySpace. Igigi describes in detail the conducted attack in his blog. The most valuable data received by the hacker is the database of users consisting of 32’603’388 records:

Depersonalized database (without usernames, emails, and other sensitive information) was kindly downloaded to, but has been already removed from there and is now available only on torrents. It should be mentioned that this incident got into the TOP5 of the greatest information leakages for the past year.

The RockYou team apologized to their users and assured them that the incident didn’t affect the privacy of their financial information. It was also reported that the vulnerabilities will be eliminated and henceforth the security issues will be attended much more carefully (compliance with industry standards in information security, applying best practices, etc.). However, information protection is based today on the principle "one vulnerability eliminated, another one forgotten".

December 28, 2009

HTTP Parameter Fragmentation (HPF) is one of the methods to bypass security filters in web applications

The idea to use HTTP Parameter Fragmentation (HPF) when calling a web application for the purpose of bypassing security filters (particularly, WAFs) is not a new one. According to one of the participants of WASC Mailing List, this technique can be occasionally found among exploits published at the site However, application of this method allows one to successfully bypass filters used in most modern WAFs (particularly, a productive one - mod_security). So, what is the essence of this technique? Let us consider it by examples of SQL Injection exploitation.

It is often necessary to have two or more user parameters in one SQL query, for example:

At the stage of verifying the parameter values received from the user on the level of web application, the application is capable of operating with variables of web server only and WAF (depending on the mode) is capable of operating directly with raw HTTP data. However, regardless of the method of accessing data, it comes to using certain regular expressions (regexps) for each separate parameter. I.e.:

December 21, 2009

(non) blind SQL Injection


SQL Injection is a method to attack a database bypassing firewalls. In this method, parameters transmitted to the database via web applications are modified so that the executable SQL query changes. To conduct an SQL Injection attack, every possible way to interact with the application (GET, POST, COOKIE, etc.) is used.

Attacks can be conducted for the following purposes:

1. Access data that is usually inaccessible or obtain system configuration data, which can be used to develop the attack vector. For example, a modified SQL query returns user password hashes, which are subsequently decrypted using brute-force search.

2. Access other systems through the computer storing a database. This sort of attacks can be conducted using database procedures and 3GL extensions that allow one to interact with operating and file systems.

SQL Injections can be divided into the following three groups according to the exploitation techniques:

1. Classical SQL Injection;
2. Blind SQL Injection;
3. Double Blind SQL Injection/TIME-based.

Let us consider each of these techniques in detail. Taking into account the fact that SQL Injection exploitation strongly depends on the features of the structured query language (SQL) used, we will confine ourselves to considering the most widespread database – MySQL. Moreover, we will assume that SQL Injection attack is conducted via SELECT query, not via INSERT or others.