Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 22 - "Web Services ...Super-Secret"

While speaking at a conference recently, talking about Flash and other client-side technologies and their associated pratfalls, someone in the audience raised their hand and volunteered another brilliant fail that needed to be written up.  Apparently this is on at least one very real, quite popular (according to the Google) website out there...


As the gentleman explained it- "Wow, this website makes open-ended database calls!"


What that means is this... while "browsing" the site, the gentleman noticed that it was making interesting looking AJAX-type calls out to what appeared to be a web service through the Flash component. Like any good security-minded person he decided to investigate. Decompiling the Flash component and reading through the code he noticed that there were a series of IF statements which basically defined the correct database to connect to. Once the database was selected the Flash component would then make "web services" calls out to a server to retrieve data. The interesting thing was that it passed all the parameters in the call ...in clear text HTTP. A piece of sample code pulled out revealed this type of call being made:


dataBaseQuery.fetchResults(dbName, paramOne, paramTwo, maxResults)

...which wouldn't be bad until you realize that the data on the other end was unfiltered. You were literally passing query parameters which were concatenated into an on-the-fly query string in Oracle and the data was returned straight-up again unfiltered.


What could possibly go wrong? Well, the answer is you can actually enumerate all the data in all 5 databases ... whether you should have access to the tables/rows or not.


Whoops!

Labels: 30_in_30| OOPS
Search
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...
About the Author(s)
  • Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging the gaps between security technologies and business needs to reduce enterprise risks and create embedded, lasting solutions on behalf of the HP Application Security Center group. He has spent over 10 years in various facets of information security and data protection, building programs at companies ranging from startups to Fortune 50 enterprises. Additionally, Los helped to write the first release of the Open Web Application Security Project (OWASP) testing guide. Prior to joining HP, Los led the web application security program and served as a security lead at General Electric (GE) Consumer Finance. Los also worked with GE Power systems, leading security engineering, architecture and building the web application security program. Before GE, Los helped build a service-oriented security consulting company and was among the first 25 employees in a successful financial-based startup, leading internet-facing systems and security management and architecture. Raf received his B.S. in Computer Information Systems from Concordia University, River Forest, Ill.


Follow Us
Guidelines
Follow the White Rabbit on Twitter! Home