Bypassing security scanners by changing the system language
Posted on 25 October 2013.
A substantial security oversight is present in a variety of penetration testing tools, and it has to do with the different languages that a computer system can be set up to use, claimed and proved Trustwave researchers at the recently held Hack In The Box conference in Kuala Lumpur.

Luiz Eduardo and Joaquim Espinhara’s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system.

So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesn't use English by default, the scanners won't be able to find some obvious security problems.

Results from using a commercial scanner on two different web applications running in environments with different languages (English, Portuguese and Russian) demonstrated different discovery rates of critical and non critical vulnerabilities.

Web application #1:



Web application #2:



There are a number of potential consequences of this issue. From an attacker's perspective, this could be a nice post-exploitation trick. After compromising the host, the attacker could change the database language and thusly protect his new "possession" from other attackers.

A shady database administrator that is expecting an outside audit can use this issue to make his system look deceptively secure. This, as the researchers say, is security through obscurity at its best.

A lively discussion after the talk pointed out the evident simplicity of this issue and the risk it poses, and the shortsightedness of developers that are not taking different languages into consideration while coding procedures to identify security risks.


Author: Berislav Kucan, Help Net Security.





Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //