WAFs , PCI and the United Nations SQL injection

Tuesday

Last week, the UN seemed to be amongst the websites falling victim to the SQL injection attack and it wasn't their first time. Reason? They never fixed the code and put a web application firewall in front of it:

One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.
...

The default search pattern of this tool is inurl:".asp" inurl:"a=": in English, “those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters”. Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.
At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been “cleaned up”.
The sad truth, though, is that even those “clean” sites are still vulnerable, hence they could be reinfected at any time: some people just never learn… (Source: hackademix.net)

So this reminded me of the PCI 6.6 that was disclosed and gave some heated discussions about WAFs. I guess that it can buy you some time but a WAF is not a miracle worker. Fix the code !!!

Previous articles:

1 comments:

Mike said...: As I recall a WAF should have blocked this SQL injection attack. PCI DSS Requirement 6.6 is not required until June 30, 2008.; May 8, 2008 10:19 AM