Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 22 - "Web Services ...Super-Secret"

While speaking at a conference recently, talking about Flash and other client-side technologies and their associated pratfalls, someone in the audience raised their hand and volunteered another brilliant fail that needed to be written up.  Apparently this is on at least one very real, quite popular (according to the Google) website out there...


As the gentleman explained it- "Wow, this website makes open-ended database calls!"


What that means is this... while "browsing" the site, the gentleman noticed that it was making interesting looking AJAX-type calls out to what appeared to be a web service through the Flash component. Like any good security-minded person he decided to investigate. Decompiling the Flash component and reading through the code he noticed that there were a series of IF statements which basically defined the correct database to connect to. Once the database was selected the Flash component would then make "web services" calls out to a server to retrieve data. The interesting thing was that it passed all the parameters in the call ...in clear text HTTP. A piece of sample code pulled out revealed this type of call being made:


dataBaseQuery.fetchResults(dbName, paramOne, paramTwo, maxResults)

...which wouldn't be bad until you realize that the data on the other end was unfiltered. You were literally passing query parameters which were concatenated into an on-the-fly query string in Oracle and the data was returned straight-up again unfiltered.


What could possibly go wrong? Well, the answer is you can actually enumerate all the data in all 5 databases ... whether you should have access to the tables/rows or not.


Whoops!

Labels: 30_in_30| OOPS
Search
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...


Follow Us
Guidelines
Follow the White Rabbit on Twitter! Home