AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Connection String Injection

The attacker is able to change the database connection string for his/her own advantage pulling attacks such as database credentials brute force

Severity

Critical

Fix Cost

Medium

Trust Level

High

Web applications usually need database related configuration strings for connections.

Sometimes, due to the nature of the application, some of identifiers used in the connection strings are instructed by the untrusted end-user using HTTP parameters.

Let the backend code is similar to the following snippet;

                            
string userID = userModel.username;
string passwd = userModel.password;

// connect DB with the authenticated user provided credentials
// valid connection also implies succesfull authentication
SqlConnection DBconn = new SqlConnection("Data Source= tcp:10.10.2.1,1434;Initial Catalog=mydb;User ID=" + userID +";Password=" + passwd);
                 
            

Using the application backed up by the above code, an attacker freely brute force any database credentials which he doesn’t have a direct access. Moreover by providing “Integrated Security = true;” the attacker may authenticate to the back end server by leveraging the trust between the current OS user and the database authentication configuration.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as user id coming from the user, and code, as the partial connection string in the program, result in Connection String injection. The attacker can potentially manipulate the connection string and access database system with credentials that he can’t access otherwise.

Web applications usually need database related configuration strings for connections.

Sometimes, due to the nature of the application, some of identifiers used in the connection strings are instructed by the untrusted end-user using HTTP parameters.

Let the backend code is similar to the following snippet;

            
try
{
Class.forName("com.mysql.jdbc.Driver").newInstance();
String url = "jdbc:mysql://10.12.1.34/" + request.getParameter("selectedDB");
conn = DriverManager.getConnection(url, username, password);
doUnitWork();
}
catch(ClassNotFoundException cnfe)
{
//
}
catch(SQLException se)
{
  //
}
catch(InstantiationException ie)
{
  //
}
finally
{
 // manage conn
}
                
            

Using the application backed up by the above code, an attacker freely brute force any databases where the credentials happened to have access to.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as user id coming from the user, and code, as the partial connection string in the program, result in Connection String injection. The attacker can potentially manipulate the connection string and access database system with credentials that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!