Auditing Matters

  • Comments posted to this topic are about the item Auditing Matters

  • I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • From Steve's editorial:

    look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.

    Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?

  • thisisfutile (2/24/2014)


    From Steve's editorial:

    look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.

    Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?

    I believe that the embedded script tags is referring to the scripting equivalent of SQL Injection. It was a common hacking practice to add valid (but malicious) HTML into a comment on a forum, for example, and anyone who loaded up the page (along with all the comments) downloaded and, therefore, executed whatever HTML (and often JavaScript) that was embedded in the original, malicious comment. This method does not target the servers (like SQL Injection attacks) but peer clients.

    I hope that I made it clear (and was right).

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • thisisfutile (2/24/2014)


    From Steve's editorial:

    look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.

    Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?

    I don't think it means anything beyond what it says - I have observed both these attacks (not at my workplace).

    If you have a SQL Injection vulnerability then a way this may be exploited (in a minor, annoying way) is that the hackers change all strings in a lookup table (e.g. list of countries) to ''Leet haxors wuz here". They may also choose to update a string value to include script tags e.g. edit all product names to include something like <script>alert('Leet haxors wuz here');</script> - in that way when anyone visits the site (if it puts the product name on the page etc) the aforementioned alert appears.

  • Thank you both, Gary Varga and call.copse for the explanations. I now understand. I think my confusion started because I thought Steve was suggesting some methods for finding exploits but instead it was basic exploits that he was pointing out.

    I read it like this... "look for potential hacking issues, BY updating all of your lookup values to the same string, or embedding script tags in your data.

    I knew it was something simple that I was making more complicated...I have a tendency to do that. 😛 Where's my coffee cup?

  • I meant write code that looks for

    count(lookup value) = count(*)

    for a table. Also, look for items in your text fields like "<script language=js>"

    We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.

  • Hi Steve

    Sorry I still don't understand what you mean by

    " write code that looks for count(lookup value) = count(*)"

    Thanks

    Steve

  • If I have

    LookupID LookupValue

    ====== =========

    1 Red

    2 Blue

    3 Orange

    and I run a count of values, grouped by the value, I'd get this.

    count(lookupvalue) count(*)

    ============ ======

    1 (for Red) 3 (total)

    1 (for Blue) 3 (total)

    1 (for Orange) 3 (total)

    The count(*) is the row count. I'd have to do grouping to get the count by specific values, and include those values. I didn't write all the code here.

    If I've been hacked, my table could be:

    LookupID LookupValue

    ====== =========

    1 Red

    2 Red

    3 Red

    or

    LookupID LookupValue

    ====== =========

    1 Red <script=js>http.redirect 'malicioussite.com</script>

    2 Red <script=js>http.redirect 'malicioussite.com</script>

    3 Red <script=js>http.redirect 'malicioussite.com</script>

    and my counts would be

    count(lookupvalue) count(*)

    ============ ======

    3 (for Red) 3 (total)

  • Gary Varga (2/24/2014)


    I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.

    +10

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply