Microsoft UK Events Website Hacked A detailed analysis how the website was hacked and how it could have

been avoide d. Introduction The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulne rability in one of the parameters used by the form on the website, which could p reviously be accessed at: http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offli ne] The hacker, known by the name "rEmOtEr", managed to deface Microsoft s page by tak ing advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter wa s not being filtered, thus it allowed the hacker to pass any type of crafted cod e directly to the database being used by this form. In addition, the hacker managed to discover table names and columns (data fields ) inside the database that was being retrieved and shown on the page this means that any text, or even code, that was inserted inside this column was then displ ayed on the page. Tasks performed by the hacker to view database passwords The following is a short reconstruction of some of the steps performed by the ha cker, to discover and exploit the SQL Injection vulnerability in the registratio n form, allowing him to view stored usernames and passwords in the system: 1. The parameters of the form were filled in with unusual characters (such as an d -- ) to see the reaction of the web site. These characters are usually filtered o ut because they are used in SQL as special commands to talk to a database. The parameters checked included: Visible inputs (textboxes, dropdown lists, etc..) in the form (POST method) Hidden inputs from the HTML source code of the page (POST method) Parameters used in the URL (GET method) 2. The URL of the website in this case makes use of the two interesting paramete rs eventID and v2: http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 In trying to manipulate the parameter v2, for example adding an apostrophe to it , gave the following response from the website: http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1

Upon seeing this error, two things can be confirmed: Server-Side error messages are ENABLED on the web server These are usually enabl ed only during development and testing so that any bugs, or in this case vulnera bilities, are discovered before going live. When the website goes live, server-s ide error messages are usually disabled so that no sensitive information is prov ided online. The parameter v2 is NOT being filtered for malicious characters/code This means that whatever this parameter contains, it will be passed to the SQL Server being

used without any filtering. This long SQL error revealed a lot of important information about the underlying database, which were used by the hacker to further extract and change data stor ed inside this database. 3. The hacker obtained more valuable information directly from the database, by playing around with the SQL Commands passed through this parameter through trial and error. He was helped further by the error messages being displayed on the p age. The SQL Command 1 having 1=1-- was sent with the v2 parameter where it was appen ded to the main SQL Query sent to database. This added a condition to the SQL Qu ery, which is always true (1=1), and in this case it confused the SQL Server bec ause of a GROUP BY command producing the following error: http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 havin g 1=1--

The result?? More database details were revealed! The table name MultivenueLists and some column names such as recordID and venueS tatus were revealed, from which the hacker understood more about the structure o f the database. (Note: In Structured Query Language (SQL) columns are referred t o with the notation TABLE(dot)COLUMN which is why the columns are shown like Mul tivenueLists.recordID) 4. Once the hacker got to know the names of tables and columns, he injected some text inside a specific column by adding a statement such as 1 update Multivenue Lists set venueStartDate= hacked by rEmOtEr ;-- to the input of the v2 parameter in the URL: ster.aspx?eventID=p83968&v2=1 update MultivenueLists set venueStartDate= hacked by rEmOtEr ;-The resulting page does not give an error this time, but the text just inserted into the database is displayed on the page.

5. Using the UNION SELECT statement, the hacker managed to obtain a list of user names and passwords from the system by guessing the names of two columns (userna me and password) and one table (users). This was the SQL Command used for the v2 parameter to obtain the usernames: ster.aspx?eventID=p83968&v2=-1 union select 1,2,3,4,username,6,7 from users--

This was the SQL Command used for the v2 parameter to obtain the passwords: ster.aspx?eventID=p83968&v2=-1 union select 1,2,3,4,password,6,7 from users

6. Using a combination of queries with userID the hacker was able to determine w hich password belongs to which username.

Tasks performed by the hacker to deface the page The following is a short reconstruction of some of the steps performed by the ha cker to discover and exploit the SQL Injection in the registration form: Once the hacker knew enough about how to inject his own code into the website s da tabase, he prepared a simple HTML page on a third party remote host to be used f or the attack. Using similar commands as those used to display his own text into the page, the hacker inserted the following URL of the HTML website hosted at the third party remote host: <link xhref=http://h.1asphost.com/remoter/css.css type=text/css rel=stylesheet> The form page on the Microsoft site is created in such a way, that it loads up a specific text from the database when a user browses on the page (typical of CMS Systems). Since this text has been replaced by the xhref link above by the hack er, this took over the entire look of the page by loading the contents from the external host This is what the web page looked like as a result of this defacement: What lead to this defacement? There was a combination of two things that lead to this defacement happening - a part from a hacker willing to take a shot at a form hosted on a Microsoft websit e. SQL Injection One of the parameters in the URL was being sent directly to the da tabase without being properly filtered before. This provided a channel for the h acker to talk directly to the database with the exact same rights as the connect ion from the web server and the database server. Error Messages From the enabled SQL error messages on the website, the hacker co uld get an idea of how the database was structured. This helped him into refinin g an SQL command, so that the database processed the instructions to insert the defacement code into the database to deface the site. How could it have been prevented? The best way to prevent being hacked is to regularly check your website for vuln erabilities that can be exploited by hackers. In doing so, this SQL injection vu lnerability could have been detected and fixed before the page went live. How to keep your website secure The larger the website the more complex it is to regularly check for vulnerabili ties on each page. The hacked page on the Microsoft site was just a small part o f a much larger website which was overlooked a common result of manual security auditing. This complexity can be overcome with the use of an automated web application sca nner such as Acunetix Web Vulnerability Scanner. Using such a powerful, yet easy to operate tool, you are able to scan every parameter on each and every form on your website, for hundreds of vulnerabilities in a fully automated way. This wo uld of course cut on the complexity and time required to perform a security audi t on your website. The use of an automated web application scanner also means that whoever performs the audit does not require any technical knowledge about web vulnerabilities, i nstead only needs to run the application to scan the website and produce a vulne rability report. About Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner ensures website security by automatically che cking for SQL injection, Cross site scripting and other vulnerabilities. It chec ks password strength on authentication pages and automatically audits shopping c arts, forms, dynamic content and other web applications. Acunetix also crawls an d analyzes websites including flash content, SOAP and AJAX. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabi lities exist. Scanning for XSS vulnerabilities with Acunetix WVS Free Edition To check whether your website has cross site scripting vulnerabilities, download the Free Edition from http://www.acunetix.com/cross-site-scripting/scanner.htm. This version will scan any website / web application for XSS vulnerabilities an d it will also reveal all the essential information related to it, such as the v ulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site). Web Application Security Blog 29 Oct 09 27 Oct 09 12 Oct 09 06 Oct 09 05 Oct 09 25 Sep 09 utomating 17 Sep 09 10 Sep 09 20 Aug 09 y to date 14 Aug 09 CubeCart 4 session management bypass leads to administrator access Acunetix WVS Version 6.5 build 20091027 released Acunetix WVS Version 6.5 build 20091012 released Statistics from 10,000 leaked Hotmail passwords Acunetix WVS Version 6.5 build 20091005 released Exploring the capabilities of Acunetix WVS Login Sequence Recorder; a dynamic web applications crawling Acunetix WVS Version 6.5 build 20090917 released How to secure web servers and database servers SQL injection used in the largest data security breach in U.S. histor Security risks associated with utf8_decode and XSS filters

Articles on Web Security Web Server Security and Database Server Security Keeping Web Hacking at bay with Acunetix - How to avoid a Hacker Attack on your website Cross Site Scripting - XSS - The Underestimated Exploit The JavaScript Engine of Acunetix WVS PCI Compliance (Payment Card Industry Data Security Standard) Web Applications: What are they? What of them? The True Nature of Web Application Security: The Role and Function of Black Box Scanners Web hacking: An underestimated threat Ajax security: Are AJAX applications vulnerable to hack attacks? PHP / SQL Security - Part 6 More Articles White Papers on Web Security Why File Upload Forms are a major security threat Finding the right web application scanner; why black box scanning is not enough The Payment Card Industry Compliance - Securing both Merchant and Customer data. Web Services - The Technology and its Security Concerns Are AJAX Applications Vulnerable to Hack Attacks? The importance of Securing AJA X Web Applications Auditing Your Web Site Security with Acunetix Web Vulnerability Scanner The Importance of Web Application Scanning

SQL & PHP Security by Andrew J. Bennieston More White Papers