Unexpected Input


When you surf the Internet, you download one of two types of Web pages to your computer: static or dynamic. A static Web page sits on a Web server until a client computer sends a request for it. Once requested , the Web page is then downloaded to the client computer exactly as it was created, where the Web browser then views the page. A static Web page is really nothing more than a brochure or advertisement, and does not allow the true power of the Internet to be expressed . However, a static page is relatively safe from hackers.

In contrast, dynamic Web pages only exist in a partial state before they are requested. Using scripting languages, a Web server actually fills in all the missing parts and creates the Web page before it is sent to the client's computer. This type of dynamic Web page creation allows for database interaction, shopping carts, and customized parts of a Web page, such as colors, names , and formatting layouts.

A search engine Web page, or front end, is a perfect example of dynamic scripting. The basic search engine is nothing more than a small program that queries a database (or more specifically , a table in the database) for any matching information based on the criteria that you have given. For instance, if you want to find out about dogs, you simply type dogs in the text box and hit search.

Most databases are based on the Structured Query Language (SQL). This language is primarily used to manipulate information in a database. Using SQL, you can query, update, add, delete, and perform other actions on data in a few short lines of code.

Here is another common use for database-driven Web sites. Have you ever been required to type in a username or password to access a Web page? Quite often, your entry is compared to a database table, where your user name and password are validated . If there is an account for the entered user name, and the password matches, you will be granted access.

To illustrate , let's take a closer look at the process, as follows :

  1. The user is asked to type in account information.

  2. The user enters the following:

     User=Tom  Pass=tompass 
  3. The entered information is sent to Web server.

  4. An SQL query is created using the entered account information:

     "SELECT * FROM tblUsers WHERE USER='Tom' and PASS='tompass'" 
  5. The database returns the results.

  6. An algorithm is used to determine whether access is permitted.

  7. If results are found, access is enabled, and if no results are found, access is restricted.

  8. The user is either sent into the Web site or sent back to the login page.

This awesome technology can have limitless uses. However, a clever hacker can exploit this technology to access the data without proper authentication. For example, suppose our hacker performed the following steps instead of the previously listed ones.

  1. The hacker is asked to type in account information.

  2. The hacker enters the following:

     User=' or ''  Pass=' or '' 
  3. Entered information is sent to Web server.

  4. A SQL query is created using the entered account information:

     "SELECT * FROM tblUsers WHERE USER='' or '' and PASS=''or '' 
  5. The database returns the results.

  6. An algorithm is used to determine whether access is permitted.

  7. If results are found, access is enabled, and if no results are found, access is restricted.

  8. The hacker gains access because the database returned a list of all users!

As you can see, thanks to the hacker's manipulation of the query on the database, he now has access to the secured Web site.

There are many ways this type of attack can be used. Hackers can delete, insert, update, and view data by tricking the Web server into requesting extra information from a database. Although this does take a solid understanding of the SQL language, many hackers already know it as a result of their work requirements.

Exploiting Web Forms

The previously discussed type of hacking technique can also be used in exploiting Web forms . Quite often, Web-based forms have "hidden" fields that contain information that is sent to a Web server without the client ever seeing it. A recent example is a popular "shopping cart" software program that was found to have hidden fields containing the prices of the items available for purchase online. All a hacker had to do was download the Web page to her computer and edit the hidden Price field to any value she wanted. This new and improved value was then sent to the shopping cart software for processing. If there were no alert humans involved with processing the purchases, the hacker would have no problem cheating an online store out of thousands of dollars.

These are some of the most popular types of malicious exploits on the Internet. Thanks to all the different types of user interfaces and dynamic content on the Internet, hackers are easily finding holes. FTP programs, SQL server programs, remote login programs, scripting languages and even HTML itself all have been found to be vulnerable to unexpected input that results in the disclosure of sensitive information. All it takes is one hacker with a thorough understanding of a software program, or even a script kiddie with a pre-made program that finds the holes, and another host of computer systems can go down in flames.



Maximum Wireless Security
Maximum Wireless Security
ISBN: 0672324881
EAN: 2147483647
Year: 2002
Pages: 171

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net