Click to get Security Testing Quote

Plynt Blog

The scares in the life of a security tester

by Roshen Chandran  | 22 Oct 2005 | Comments

I inadvertently changed the passwords of 17,000 users once.

We all have our favorite horror stories testing live applications. Mine was executing a SQL Injection test-case ‘OR 1=1;— on a Change Password page. To my utter dismay, I realized the test case worked and all users had their password reset. Thankfully, the usertable could be restored from backup quickly.

That was two years ago. I’ve since chuckled when I hear similar tales of horror; now I expect little to shock me. So imagine my surprise last week when the same test case wreaked havoc again.

We were testing the beta version of an online trading site. We routinely use the SQL Injection test case ‘OR 1=1;— in the login page to see if login can be bypassed.

The test case worked, we were authenticated and able to log in. So far so good.

Trouble began 10 minutes later when we got a call complaining that no one could log in. Did we know anything about it? Hmmm, no… we had just bypassed the login page. Why should others be affected? 15 mins later, it was clear that no one could log in to the beta application- not even the administrator. We compared notes and decided that it had to be the ‘OR 1=1;— test case.

In the next 30 minutes, we figured out what was happening: To prevent concurrent logins by the same user, the application set a field called isLoggedIn in the user database to true when a user logged in. When the user logged out it would set isLoggedIn to false. Alternately, when a session expired, it would set isLoggedIn to false. By tracking this field, the application ensured a user could not have concurrent sessions.

And our ‘OR 1=1;— upset the scheme!

The ‘OR 1=1;— set isLoggedIn to true for all rows in the user table. The database believed that every user was logged in. And until each person was logged out, he couldn’t log in again!

Recovery took 20 minutes more: a SQL script was written to directly set isLoggedIn to false for all users. That worked and the site was back online.

I shudder to think of the consequences had the site been already launched. An adversary could have denied service to users for several days - the time it takes to get a bug fixed, tested and released to production.


Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.
Add yours.closed for this post.

1. Terence Cornelius | 24 Oct 2005 2:41 PM

I too have a very interesting story about SQL injection - I accidentally crashed the application causing a denial of service for all users.

It happened while testing a banking application. As always I tested SQL injection on the login page. Oh no, nothing happened over here - there was strong input validation on the login page. The fun is just ahead.

I injected the string 'OR 1=1;-- into a Search page of the application: I did not receive any output. The application just froze and stopped working!

Was it me? I did not know as SQL injection does not normally crash a system. So I checked with the administrator if there was anyone else working on the application. No, there wasn't.

It seemed the memory utilization of the server had increased and the memory wasn't being released. So then I decided to do a recheck - was it really the SQL Injection test case that crashed the system or was it something else? I restarted the server and walked through the test case with the administrator. Now as soon as I submitted the test case in the search field there was a quick, exponential increase in processor and memory utilizations. After some time the CPU utilization came to normal but the memory utilization stayed high. The application had captured memory and was not releasing it.

We have not been able to conclusively prove what happened. One guess is that the query was going in a loop, though it's not certain why. If anybody has suggestions, I'd love to hear those.

Thanks,
Terence

2. Mpoed | 22 Nov 2005 10:38 AM

Interesting things, but a bit scary indeed for somebody new in this field! What precautions then can you take to make sure this does not happen? Or there is no way to avoid it and you just have to add applicable clauses on the contract to limit your liability if a client decides to sue for lost productivty?

3. Akshay Gupta | 29 Nov 2005 11:35 AM

Hey Abhishek

This is really scary as one might create trouble instead of securing. Anyways it was very interesting too.
Terence too had a interesting incident.

Akshay
aks.gup@gmail.com

4. Abhishek Kumar | 05 Dec 2005 11:26 AM

A safer approach to testing SQL Injection is to use a time delay SQL Injection test case like the one described here

Thus the test case:

'; waitfor delay 00:00:30

would induce a delay of 30 seconds for the query and the page to return if the app is vulnerable. No other side effects :)

Thanks!
Abhi.

5. assurbanipal | 27 Feb 2006 4:43 PM

Abhishek, your approach is correct, however there are two problems:
a- it might not always be 100% effective; think when you have to insert
'; waitfor delay 00:00:30 --
in order for the injection to work. This means you are cutting out the tail of the original processed statement(s). What happens if this induces some naughty side effects, like those encountered in the nightmarish stories presented before? You may *never* be completely sure not to affect programming logic when you tamper with it (though there are ways, like the one you suggest, which are reasonably safe most of the time)
b- suppose you prove the application is bugged. Now, what do you do? Do you stop? Then your application assessment will be "safe" but won't produce as much insight had it proceeded to fiddle more with the application. There may be a huge difference between pointing out an application, and proving the devastating effects it may have (stating what the theory says is, in my opinion, much less effective - you need to show what an attack exposes)

a.

6. Varun Chaudhry | 17 Mar 2006 4:20 PM

Hi assurbanipal,

I dont't quite agree with what you say. Lets not forget that we are discussing about testing applications running in production environments. The key here is accountability.

a) Assuming the test case is entered with the correct syntax as you have pointed out. All that it does is that if the app is vulnerable, an error page will be returned after the time entered in the test case. Side effects ??? None

b) If as a tester I were to prove that the application is vulnerable to SQL Injection by deleting the database, I am quite sure I won't be testing applications again for quite some time :)

The fact that the application is vulnerable is good enough. I really need not go all the way exploiting it to prove it. As testers we are again time bound.The basic test cases may not run and you may not be able to gain unauthorized access but does that mean that the application is safe ?? NOPE