Welcome to BARMAGY Sign in | Join | Help

SQL Injection Through Cookies

      Through my career as a developer I’ve seen many developers that are not aware about the possibility of SQL injection through cookies. Cookies in fact is a user input and as any input it must be validated and because normal users don’t see cookies that doesn’t mean attackers won’t temper with it, so developers must always validate cookies the same way they validate any other type of input. I will demonstrate in this article how it’s possible to an attacker to make a SQL injection attack through cookies. Say we have a web application admin page that hashes the admin password and store it in a cookie so next time the admin opens the web application administrator panel web page the application will recognize him/her as admin, the password is hashed in a cookie so it won’t be stored in plain text in cookies which is a bad security practice. So let’s say we have the following code

  protected void Page_Load(object sender, EventArgs e)

    {

        if (Request.Cookies.Get("password_hash") != null)

        {

            //check if the password hash is authentic

            string sql = "select count(id) from admins where password_hash = '" + Request.Cookies.Get("password_hash") + "'";

            //the rest of database access code and admin

            //authentication goes here

        }

        else Response.Redirect("login.aspx");

       

    }

Now the code looks pretty sweet and simple, if there is no cookie the admin will be redirected to the login page else we will check if the password hash exists in the database or not, if yes we will log in the admin if not then the cookie has expired and we will redirect the admin to the login page, the cookie is hashed so if an attacker managed to get it, at least it won’t be in a plain text format and also it’s a hash (i.e. one  way encryption) so the attacker will have a hard time cracking it and anyway by the time the attacker will get the hash it will be expired anyway. And of course there will be a security policy that forces our admin to change the password every 10 days. So now our security plan sounds pretty hard to break.

Our admin cookie should look like this

GET /admin/admins.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)

Proxy-Connection: Keep-Alive

Host: www.host.com

Pragma: no-cache

Cookie: password_hash=d41d8cd98f00b204e9800998ecf8427e

 

But what if an attacker tempered with the cookies and sent us a GET request that looks like this

GET /admin/admins.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)

Proxy-Connection: Keep-Alive

Host: www.host.com

Pragma: no-cache

Cookie: password_hash= SorryIDontHaveYourHash ' or 1=1 --

 

Pay some attention to the cookie line

Cookie: password_hash=SorryIDontHaveYourHash' or 1=1 --

Notice what it has in its end? Now let’s imagine how our SQL query will look like if the attacker did this

select count(id) from admins where password_hash = 'SorryIDontHaveYourHash' or 1=1 --'

This SQL query will return records every time it executes and our application will think that the cookie have a valid password hash although it doesn’t and will log the attacker as the admin. I hope you now understand the dangers that come from not validating your cookies the same as you validate user input. Thanks for reading and I would really appreciate your feedback.

kick it on DotNetKicks.com
Published Sunday, December 30, 2007 8:31 PM by Fady

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# SQL Injection through cookies

You've been kicked (a good thing) - Trackback from DotNetKicks.com
Sunday, December 30, 2007 8:39 PM by DotNetKicks.com

# re: SQL Injection through cookies

Do people still use sql without parameters ? :)
Sunday, December 30, 2007 9:21 PM by sirrocco

# re: SQL Injection through cookies

i meet lots of them :)
Sunday, December 30, 2007 10:34 PM by Fady

# re: SQL Injection Through Cookies

Hi Fady

First it's very cool trick, your idea about validating any input is correct, it is very correct and all people should deal with it same way, but as u know software industry getting larger and larger, as long as new comer to this field don't know anything about the threats that is threaten their work, they will keep it doing like that, also this people after while get promoted and became a Senior and team lead, and they still know nothing about what you are talking about, everyone has a client try to keeo it, this what happen, if the customer has the power to do full check up on your work , they would n't ask you to do the work, so mostly this kind of "vulnerabilities" will keep going and it will never end, also like Buffer Over Flow, it is critical, but all people fall on this stupid things, all we can do is stick to the best practices(people invest lots of time to do it) and try to make use of every new security alert, there is TONS of indirect threats,

sorry for long comment :D, I am writeing it in sleepy mood
Monday, December 31, 2007 8:42 PM by Ahmed Essam

# re: SQL Injection Through Cookies

Hi Fady

First it's very cool trick, your idea about validating any input is correct, it is very correct and all people should deal with it same way, but as u know software industry getting larger and larger, as long as new comer to this field don't know anything about the threats that is threaten their work, they will keep it doing like that, also this people after while get promoted and became a Senior and team lead, and they still know nothing about what you are talking about, everyone has a client try to keep it, this what happen, if the customer has the power to do full check up on your work , they would not ask you to do the work, so mostly this kind of "vulnerabilities" will keep going and it will never end, also like Buffer Over Flow, it is critical, but all people fall on this stupid things, all we can do is stick to the best practices(people invest lots of time to do it) and try to make use of every new security alert, there is TONS of indirect threats,

sorry for long comment :D, I am writing it in sleepy mood
Monday, December 31, 2007 8:42 PM by Ahmed Essam

# re: SQL Injection Through Cookies

@Ahmed
thanks man, you are right
yes, for sorry software industry is from some ppl aspect is about selling more than making good software
i've seen developers whom care about fields alignment more than the application security simply because the user can see the fields but can't understand security, sounds ironic?
it's always a trade off between usability, security and cost
most software houses choose usability and cost thus thats why they value more the developers whom make pages with aligned fields and nice colors than the developers whom write secure code, simply the 1st type delever on a shorter time with less cost and the customer won't understand the difference tell somebody hacks their application
Tuesday, January 01, 2008 12:32 AM by Fady

# re: SQL Injection Through Cookies

Nice post... Reminds me about the Saudi guy who hacked Microsoft website through SQL injection by inserting wrong values in the address link.

http://news.softpedia.com/news/Microsoft-Got-Hacked-58708.shtml

If Microsoft got hacked like this, then sure thing, then imagine how cookies will do the injection :D !

Tuesday, January 01, 2008 8:58 PM by Ehab El-agizy

# re: SQL Injection Through Cookies

Very nice trick. Never saw someone before talked about SQL injection in cookies parameters!. This opens new scope for validation. Nice Hint!
Wednesday, January 02, 2008 11:09 AM by Mohammed Nour El-Din

# re: SQL Injection Through Cookies

@Ehab, Mohammed
thanks guys, the idea was there long time ago i just have put some spot light on it
Wednesday, January 02, 2008 4:20 PM by Fady

What do you think?

(required) 
required 
(required)