Wednesday, April 27, 2011

SQLXSSI - Persistent Malware Base

With the advent of new and sophisticated malware, the modes of infection has become more efficient from previous times. The spreading of web malware takes place through web vulnerabilities which further impacts the browser interface to drop malware. Reflective XSS vulnerabilities are exploited heavily to spread malware. In last year OWASP AppSec USA conference, we presented SQLXSSI technique which has become the preferred choice of attackers to infect databases with malicious iframes and payloads.

This technique is opted to conduct mass SQL injection attacks because infecting database tables result in easy spreading of malicious content across different domains because of content sharing.

It is quite a different from persistent nature of XSS because in SQLXSSI, the attacker wants to update the database table with encoded output and it remains there for long period of time. When an application, runs a specific query in the database, the payload is decoded and renders in the browser. In persistent XSS injections, payloads are passed as direct data which may or may not be stored in the database but it becomes persistent in web pages. Further, no SQL injection vulnerability is exploited.

In SQLXSSI, SQL injections (Direct+Blind) are used explicitly by the attacker to inject payloads in the database in the raw format. It is retrieved back from the database based on the application design and in which tables attacker has injected the payloads.

Predominantly, one vulnerability is used to trigger another which ultimately results in spreading malware. This content can be retrieved by any resources which are using the database of infected website. For example: the below presented figure shows the presence of malicious scripts inside the PDF

This PDF document is actually generated from print.asp page which fetches some content from the database, in this case it is infectious. However, our discussion in this example adheres to the way data is shared among different resources and how infectious can SQLXSSI attacks be.