Recently, Woodmark was asked to assist a company who had their website modified by a hacker. They were very surprised that links that pointed to other pages on their sites or to advertisers pages were changed to new, less politically correct, ones.
The question at hand was how the hacker was able to accomplish this task and where was the breach.
In the end, this site fell prey to a situation where the website was tied into back-end databases. This provided customized content to users when users searched or interacted with the site. More and more, websites are built on top of databases to provide a richer, more customized experience.
In this case, the hacker didn’t gain access to the server, but was able to take advantage of how the website was built to gain access to the data in the database and make changes to that data. Since that data controlled page content, the page links were modified.
The hacker used a practice known as a SQL Injection Vulnerability. The following is an excerpt from an article from a DevX website that explains more about this type of vulnerability:
” (The) Vulnerability arises when an application dynamically generates commands and sends them to SQL Server for execution. To exploit this vulnerability the intruder simply appends executable code to a text field that provides input for the query. Under the right conditions, an intruder can experimentally find the right combination of quote delimiters and comment marks to modify the current command or append an unwanted command. The results can range from returning otherwise hidden data to the user to letting the user execute commands that they would normally not be able to do from the form.”
If you would like to read more from this article, you can find at www.devx.com/codemag/Article/10290
In this case, the hacker (aka. intruder), used SQL Injection with the search functionality to update the links in the database.
The situation was complicated by the fact that the company did not have a recent backup and thus we had to use a log recovery tool to roll back the changes. But that’s a story for another blog entry.
In the end, we were able to assist the company, now a client, with recovering their website and guidance for securing their website and database. Luckily this breach did not concern confidential data, but you can imagine the public relations nightmare a situation like this could cause if social security numbers or credit card numbers had been compromised.
If you make data available through a website that is tied into a back-end database, you should ensure that you have proper safeguards in place and that your website is not subject to SQL injection attacks.
The following are some additional links to resources on SQL Injection:
Wikipedia Entry on SQL Injection – http://en.wikipedia.org/wiki/SQL_injection
SQL Injection Walkthrough – http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Microsoft Technet Link – http://technet.microsoft.com/en-us/library/ms161953.aspx