Thursday, February 4, 2010

Black Hat DC: Researchers Reveal Connection String 'Pollution' Attack



Tool released tests for so-called Connection String Parameter Pollution (CSPP) attack
By Kelly Jackson Higgins
DarkReading WASHINGTON, DC -- Black Hat DC 2010 -- A pair of Spanish researchers here today demonstrated a way to hack the connection between a Web application and a database, letting the attacker hijack Web credentials and perform other nefarious activities.
The so-called Connection String Parameter Pollution (CSPP) attack exploits poorly secured dynamic connections between Web apps and databases, namely ones that still use semicolons as separators between data such as the data source, user ID, and password associated with a connection to the database, for instance. "If an attacker pollutes the parametershe will have full control of the connection string and can overwrite anything in it," says Jose Palazon, a researcher with Informatica 64, who along with colleague Chema Alonso demonstrated the CSPP attack.

http://www.darkreading.com/database_security/security/vulnerabilities/showArticle.jhtml?articleID=222600894

No comments:

Post a Comment