Friday, May 15, 2009

Scan 3rd party websites for safeness

Since I'm a right-wing wacko who enjoys Druge Report, I noticed this this article that claims the U.S. Attorney's Office in Massachusetts told employees not to log onto the Drudge Report because it contained viruses.

Drudge itself isn't hosting malware intentionally, but malware may get through. One possible reason is that they are using a advertising aggregator that isn't too picky about which adds it serves. Another possible reason is it has an exploitable bug, hackers have broken in, and are now attacking visitors.

A good example of this is the related news aggregator BreitBart.com which right this moment has an obvious SQL injection vulnerability. Pick any article with an "id" field in the URL, add a quote, and you get an SQL error message back. If you edit the following URL as shown to add a quote ' character in the id field, you will get the following SQL error message:
URL:http://www.breitbart.com/article.php?id=D986V0E80
Edit:http://www.breitbart.com/article.php?id=D986'V0E80
Message:
Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'V0E80' ORDER BY issue_date DESC LIMIT 1' at line 3

This means that BreitBart has probably been taken over by hackers, who are either now delivering malware, or are waiting for the next QuickTime/Flash/PDF 0day in order to deliver that.

I feel safe browsing these websites because I browse inside a virtual machine, which has non-root privileges, using NoScript and AdBlock within Firefox. I may be a little extreme, but at MINIMUM, user should browse the Internet without root privileges.

Large organizations might consider scanning websites that are popular among their users to look for obvious vulnerabilities like SQL-injection. Like it or not, popular websites like CNN are part of your infrastructure, and when they get hacked, your users can get hacked.

1 comment:

Unknown said...

I'm a whitehat remote pen tester and to even look at a website sideways, let alone 'scan one' for potential SQL and other grossness, you have to have explicit permission from the vendor, or it is quite against the law. ?

I do enjoy your writing. Tks.