Cookie Poisoning

I wanted to talk a little bit more about Cookie Poisoning as it is something that a lot of people seem to be interested in. Basically, a cookie saves information on the client's machines that websites want to store. Typically, they would store a session id - essentially a unique identifier.

A typical Amazon Cookie.

Cookies can store other information as well. "Other information" may be as harmless as a user name that your favorite website remembers so you don't have it type it in every time you login. It can also be non-trivial like an account number, shopping cart total, social security number and any other personal information. I wish this wasn't the case, but I'm sure there are some websites that do this. The problem does not stop here. Anyone can edit a cookie and change their shopping cart total. Who wouldn't want to buy a brand new TV for a hundred bucks? Wouldn't you also get the store warranty that they always try to sell you but no one buys?

How to edit cookies? Download and install Add N Edit Cookies (a Firefox Add-on).

There are a number of ways to protect yourselves from this vulnerability.

• Do not save sensitive information in cookies.
• Try to utilize server side sessions where possible.
  
• Encrypt your cookie data.
  
• Set an expiration that makes sense.

Note that cookie security should entail using SSL for your website AND encrypting the data in your cookie. If your site transmits any personal information, securing your site with SSL is a must. Packet sniffers can pick up cookie data in plain sight. Furthermore, anyone that has access to your local hard drive can view cookie data. Secure your data using strong encryption!

A Malware Story

Pedro Bueno of McAfee makes a thought provoking statement, "I don’t really know which is worse: a dumb or a smart malware writer" in his blog post. Apparently, a variant of the PWS-Banker trojan was written by a "dumb malware writer." The trojan steals the usual gamut of banking information using the popular cookie poisoning exploit and sends it to a remote SQL database. However, the credentials for that database were hard-coded in the malware for everyone to see. What are the implications of this? Disaster. Any fellow evil-minded script kiddie could get theirs hands on bank account, user name and passwords and sell it out on the market. IT'S PAYDAY. Until, of course, you get caught.

Orphaned Users in SQL Server

It happens all the time - orphaned users. Often times you are required to restore a database for testing purposes and you go back to your land of semicolons, butterflies and ponies and all of a sudden BAM: Login failed for user 'dbuser'.

In SQL Server, Database Users and Server Logins are two different entities. Users are associated to the database level, and logins are associated to the Server level. Every User must be mapped to a Login. Otherwise, you get a dreaded orphan.

In SQL Server 2008, run sp_change_users_login @Action='REPORT' to detected orphaned records. I actually just ran this and there are three orphaned users in one of my databases right now. Slacker!

To resolve an orphaned user, run sp_change_users_login @Action='update_one', @UserNamePattern='DatabaseUserName',
@LoginName='ServerLoginName';

And there you have it. Happily reunited.

My Stackoverflow Flair

This is my stackoverflow flair. It isn't much by any means. It pales in comparison with others on the site by wide margins. To give you an idea, the leading user at the time of this writing is John Skeet with 68.5k reputation score. It's not like he's had an unfair advantage besides the obvious intellectual one. He's been a member of the site for 8 months. I've been a member for 10. Anyone that is a part of stackoverflow will know the mental fortitude necessary to stay atop the leaderboard. A hat tip goes out to you John Skeet.

IIS7 SEO Toolkit (Beta Release)

There exists a subgroup of people that specializes in SEO to make websites more search engine "friendly." They probably make a ton of money doing so. I, for one, do not belong to this group, do not plan on joining anytime soon and certainly do not make a ton of money.

For those of you who, like myself, find the SEO chore a bit outside of your interest, there is a reprieve. The beta release of the Search Engine Optimization Toolkit for IIS7 was announced last week (06/03/2009). Scott Gu has an exhaustive blog post about it here as he usually does.


*Note - the site being analyzed does not have an IIS7 server dependency. Feel run to run remotely on any website.

SQL Injection - What is it?

SQL Injection is essentially user input, in the form of SQL code, that is executed on the database server. The lab demonstrated here shows that by injecting ' or '1'='1 into the password field, the attacker gains access into the website without any credentials. This is because the program code executes the SQL statement embedded with the attacker's input. The result is the following: SELECT * FROM tblUsers WHERE UserName = 'any arbitrary text' And Password = ' ' or '1'='1', which will always be true allowing the attacker to gain access. The security implications are huge once exploited.

The website created for demonstration of this lab queries the users table to verify the username and password to grant or restrict access. Performing the exploit outlined above actually returns the first row in this table, which happens to be the site administrator account. If the website had administration functionality built in, e.g., creating users, the attacker would have full access to it. Similarly, if the account under which the SQL is executed has sufficient read/write access to the database, the attacker would be able to inject a drop table command to cause data loss, 1'; DROP TABLE tblUsers. There are a number of ingenious ways to exploit this further.

Fortunately, prevention of SQL Injection attacks is pretty easy and straight forward. A few ways are to use parameterized statements, user input limitation and user input validation. In our specific example, we could use Linq to prevent these types of attacks. Acting as an object relational mapper, Linq creates data classes for each table, view, stored procedures and more. Linq executes SQL parameterizing all user input making it invulnerable to this type of attack. Review the program code in default.aspx.cs file provided. The SQLInjectionProtected() method demonstrates how Linq could be implemented.

Download the source code here: SQLInjectionWebsite.zip.

Asp.net 2.0 (Web Framework)
.NET Framework 3.5
C# (Programming Language)
IIS 6 (Web Server)
MS Sql Server 2005 (Database)