Connection String Parameter Pollution Attacks
- Type
- Paper
- Tags
- authentication, database, SQL injection, SQL Server
- Authors
- Chema Alonso, Jose Palazon
- Event
- Black Hat DC 2010
- Indexed on
- Mar 25, 2013
- URL
- http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdf
- File name
- Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdf
- File size
- 392.1 KB
- MD5
- 59235bab2c579d004331f68595fcbe43
- SHA1
- 373b90fa265aa776edb19fb6e3341cff81031a64
This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are specially dangerous in hosting companies which allow customers to connect against control panels to configure databases.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
