Blind SQL Injection Attack Video

You don’t often get to see a demonstration of how an attacker will actually use techniques such as this the infiltrate a site. My belief is that if you need to defend yourself or your application against it you need to see it in action. milw0rm is a great place to see what applications are vulnerable to attack, how, why and has it been fixed.

What could have been done to prevent this attack?

Lots of things could have been done to prevent this from happening, but often is the case in large applications or small one’s built by an inexperienced developer holes are left in the security of an application. One thing to remember when developing an application that any user submitted data should be treated as hostile. It should be checked via Regex, cleaned, Type Casted and validated to ensure what your getting from the user is what you expected.

In the video a function as simple as mysql_real_escape_string could have prevented this but here are some other things you should know about:

Hash your passwords

I don’t know if you noticed in the video but the attacker acquired a plain text password. This was the application developers first mistake. If the password had been hashed, even if the attacked had got the entire hash it would have been useless. If you put another hash in it will just be converted to guess what, another hash. This would have rendered this attack fruitless. MD5 is a great Hashing function that comes pre-packed with most programming languages and would turn this “password” into this “5f4dcc3b5aa765d61d8327deb882cf99″. Even if one character changes the hash would be completely different.

Use a Database abstraction layer

In PHP a great example of this would be the MDB2 class. This class comes with a whole list of security features including some great sanitisation functions. Using a single gateway to your database will greatly reduce the margin for error. You could even develop your own with automatic data cleaning.

Use an odd admin section name

One issue with applications with an integrated CMS is the admin section is simply called “admin”. In this case if the attacker armed with a username and password couldn’t find your admin section he would have had to employ some more sophisticated tools to monitor where you where going to update your site. At this point they may get bored or more often than not, it’s an automated attack. In this case the application may try to guess where it is, fail and move on. So try to name your admin sections more carefully!

Well I hope someone finds this of use and I look forward to your responses!