Thursday, November 29

Now, that's a nice User-Agent

I was looking through my httpd-access.log today for something, and ran across this, (Yes, I have removed the IP):

"[29/Nov/2007:17:18:18 -0500] "GET /uploaded_images/questionmark-785318.jpg HTTP/1.1" 200 6203 "http://www.bloglines.com/myblogs_display?sub=44519724&site=8488306" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Internet Explorer'); DROP TABLE browsers;--"
 
Little injection attempt there?  Trying to drop the ol' browser table in some kind of stats db.  

So who cares.  Well it made me think of something.  If this person can obviously alter his/her User-Agent to do that, what is to make you think that the rest of the Agent string is valid?  How do we know that his person is really using "Internet Explorer"?

At what point does the trust break.  I've often gone with the adage of "don't trust anything", not a single packet.   What if you use p0f to passively fingerprint the OS'es of the machines attempting to access your network, okay, and I go in, compile my own kernel on my Linux box, and set my IP and TCP attributes such that it will appear to be Windows when I communicate with your network?

What can you trust on your own network?  If someone hacks into your web server, is there any merit in seeing what they did once they got on the machine?  You no longer can trust a single thing on the box, and definitely anything coming out of the box!   It has to be rebuilt.

Mod_security did not catch the above attempt btw.  (It will now)

No comments: