Beruflich Dokumente
Kultur Dokumente
2011/2012
1. Introduction
The web is the future in conducting an organization, making a business, or even for a person to share his life and interacting with other people outside. From giving information about services provide by an organisation, e-commerce to internet banking, from art galleries to restaurant menus and opening times, and the activity a person doing everyday, the web is becoming an essential aspect in our life. Whether the site is the web presence for a large multinational organization, a gallery showing the product range and inviting potential customers to come into the shop, or a personal site exhibiting holiday photos of a person, web security matters. Therefore, web security should being a greatest concern to the people who manage the site, whom we called them as an administrators. They should know how to secure their website from being hacked or attack by the intruder or hacker. This white paper describes and outline about system intrusion attack that make through SQL Injection, that is one of the web attack mechanisms or techniques that is popular and recently used by the hacker to gain access of the website. Through the sample of real case study, this paper will state what the problem that arise when a website was being attack and come out with recommendation and best solution that can make it to prevent this attack from occur.
Matthew Astley release advisory with title NT ODBC Remote Compromise. Again, on February 3rd in 2000, Rain Forest Puppy came out with How I hacked Packetstorm A look at hacking wwwthreads via SQL. Then, on September 2000, another researcher named David Litchfield came out with his book called Application Assessments on IIS . After then, there are many researcher that worked in this field had came out with their book or white paper concerning this technique, and still not stopping until today.
experiencing some technical difficulties at the moment. (as shown in the picture below) The picture below also show what happen to this site before and after it was being defaced.
3.2. Motive a the rea and ason Th motive and the reason why the Lynass website w being hacked an he s was nd defaced with that k kind of mes ssage is m most probab in a sho of oppo bly ow osition to th he near complete rare earths pr e rocessing p plant that b build at Gebeng Indus strial Estate e, Kuantan Pahang. This assum n, mption mak based on the message that display on th ke n he Lynas website dur w ring it was being def faced that clearly stat Stop Lynas, Sav te L ve Malaysia As we k a. know, in the last month this Lynas issue was being a h issue an e h, s hot nd topic th hat being talked by Malaysian citizen all over nation eithe from th n a er he governm ment side that agreed with this processing plant co t d onstruction or from th he governm ment oppos sition that disagree wit this plan In order t d th n. trying to sto this plan op nt build in Malaysia, the oppos sition side was makin a big ga ng athering ca alled Gree en Gatherin 2.0 on February 26th last month. This gathering also can b a backin ng 2 be ng prove th this is a reason why the Lyn website was bein hacked b hat w nas e ng because th he similarity that have in the tim of this g y e me gathering held and the website w brough e was ht down wa at the sa as ame day an time. nd
3.3. The Person behind the att tack The hacke who was brought down the Ly er s ynass web bsite and ta credit o ake on this attack was called as 4z1 and claim 1 ming to be as a Malay ysian citizen like as his n,
message on the Lynas website, do not hurt my country. Although his real identity cannot be reveal, but after we go through some rough searching by using his 4z1 name, we could find some information about him. We can assume he is the person who is responsible for the attacking the Lynas website, based on the information that state in his personal blog. Some information that we can collect was the person is a chinese guy, a member of evilshadow team, that is part of HackXL96 hacking group. Besides, in his personal blog on date February 25th 2012, he has write down about his opposition feelings towards the government and the Lynas issue. This all information is very useful especially to the forensic digital team in order to catch the hacker.
3.4. How the attack being done? This web defacement had been done through SQL Injection technique attack. As explained before, this attack is type of attack that takes advantage of improper coding of web applications that allows hacker to inject SQL commands, usually into a login or submitted form to allow them to gain access to the data held within the database. In other word, SQL Injection arises because the fields available for user input, allow SQL statements to pass through and query the database directly. Same with this case, the hacker also can use the input form that is available in the contact section in the main page of the website. If we try to access this website, we can see that there are some input form such as name, phone, email and others field text that available for the guest to fill in the information and then submitted to the system. So, this is the way the hacker can used the SQL Injection, because as long as the guest or user can fill in the form and submitted it, the vulnerabilities of the database can be compromise. This happen because the process when submitting the form, will directly communicate with the database query in order to update the new data that
insert in the form before. Therefore, through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing all the information behind it.
Usually, firewalls and similar intrusion detection mechanisms provide little or no defense against full-scale SQL Injection web attacks. So, since this website needs to be public, security mechanisms will allow public web traffic to communicate with this web application (generally over port 80/443). The web application has open access to the database in order to return (update) the requested (changed) information. Therefore, by using SQL Injection technique, the hacker uses SQL queries and creativity to get access to the database through the web application.
Therefore, for these kind of website problem that used the SQL Injection to attack, the recommendation solution that can use to prevent this attack from occur is firstly make a defense in the application which means concerning with the SQL databases itself. There are quite a few approach that can be use to prevent this attack and one of them is by make an input filtering to the SQL databases. The administrators of the web systems can just employ the filter that prevents characters like single or double quotes, backslashes, colons and so on from being passed from web form into the SQL server. Besides that, by only allow the numeric values that are integers to be passed to the SQL server, such as using ISNumeric command to validate the input, the admin can also prevent the system from the SQL Injection attack.
Secondly, the solution that can make by the administrator of the system to prevent their system from being hacked by the SQL Injection attack is make a defense in the network. In certain situation, application cannot be updated to handle user supplied data in a secure manner. In this condition, the administrator or developer can add security to the application existence by securing technologies in the network such as using Instrusion Prevention Systems and Web Application Firewalls. By using
10
Instrusion Prevention System (IPS), it may be possible to detect and prevent the SQL Injection attack, but to make it effective, it must have the visibility into the traffic of the application.
Therefore, the Cisco Intrusion Prevention System is recommend for the administrator to use because currently it have some of the signatures that may indicate the presence of the SQL Injection attack.
Web Application Firewall (WAF), is also one of the option that the administrator of the web system can choose to enhance the security of their web system and prevent it from SQL injection attack. The Web Application Firewall is a network device that seek to filter traffic that is destined to web application at the layer seven in the OSI model. It is have the ability to detect and filter many types of malicious application traffic including SQL injection attack. What is the good about this device is it also possible to terminate the encrypted HTTPS session to allow application inspection of HTTPS traffic.
Lastly, in addition to the approach that can make to prevent the web system from being hack or attack, the administrators or developer of the web system themselves should know more about how to secure their web system and always make an effort to gain more knowledge in the security field in other to make sure they can easily find the error in their system if it has being hack and importantly they can take a immediate respond or action to stop the problem and back to their foot again as usual.
11
5. Conclusion
As a conclusion, this paper has describe and explain what is about the SQL Injection attack that is most commonly technique used by the hacker to gain access to the website and then take it as a first step to launch an intrusion attack to a web system. In this paper, one of the instrusion attack that is web defacement have been learned and discussed in depth through the real case study that happen to the Lynas Corporation official website that was being attack on last February 2012. The problem that arise when this instrusion attack occur, also have been state in this paper and finally came out with the proper solution that can be use by the administrator or developer of the web system to prevent their web systems from being attack by this SQL Injection technique.
12
References
1. Justin Clarke, 2009. SQL Injection Attack and Defense, Syngress, Boston. 2. David Litchfield, 2005. Data Mining with SQL Injection and Inference, NGSSoftware Insight Security Research (NISR) Publication. 3. Rania Spooner. February 27. Australian Miner Hacked. Available at : http://www.smh.com.au/wa-news/australian-miner-hacked-
20120227-1tyn0.html 4. S.E Smith and Shereen Skola, August 16. What is a Website Defacement? Available at : http://www.wisegeek.com/what-is-a-website-defacement.htm 5. Test Center, CRN, September 4. 4 Tips for Stopping SQL Injection Attacks. Available at : http://www.crn.com/news/security/201803974/4-tips-for-
stopping-sql-injection-attacks.htm?pgno=1 6. Tim Sammut, Cisco Security Inteligence Operations. Understanding SQL Injection. Available at : http://www.cisco.com/web/about/security/intelligence/sql_injection.html
13