Connection string parameter pollution (CSPP) is a problem that can be found in many ethical hacking engagements. It refers to the practice of using more than one connection string for a given target or exploit. A compromised system may have multiple connections open, allowing an attacker access to files and systems across organizations by exploiting vulnerabilities in any of those connected applications. Because PHP-FPM is used as the web server engine on many websites, it has been targeted numerous times by attackers looking for CSSP opportunities.
Connection string information includes everything from the server name and port to the application name and version. It can be easily captured and analyzed by an attacker, who can use this information to compromise the security of the web application or infiltrate the user accounts of the users running the application.
Connection String Injection:
A connection string injection attack can occur when dynamic string concatenation is used to build connection strings that are based on user input. If the string isn’t validated and malicious text or characters are not escaped, an attacker can potentially access sensitive data or other resources on the server. For example, an attacker could mount an attack by supplying a semicolon and appending another value. The connection string is parsed by using a “last one wins” algorithm, and the hostile input is replaced with a legitimate value.
HTTP Parameter Pollution:
HTTP Parameter Pollution (HPP) is a Web attack evasion process that permits a hacker to prepare an HTTP request in order to exploit or retrieve confidential information. This evasion technique is based on breaking an attack vector between multiple illustrations of a parameter with the same name. Since none of the appropriate HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery medium may deal with it differently. In particular, some process such requests by joining the values taken from all instances of a parameter name within the request. This behavior is used by the attacker in order to bypass pattern-based security mechanisms.
Prevention of Connection String Parameter Pollution:
There are several ways to protect against Connection String Parameter Pollution.
- Make sure that any redirects your site makes (via HTTP headers, meta tags, JavaScript, etc.) do not rely on user input, or if they do, that the user input is sanitized, for example via a whitelist. Overall, the vulnerability of a computer or network to parameter tampering can be minimized by implementing a strict application security routine and making sure that it is kept up to date.
- Access and potentially exploit variables that are not been controlled properly. Prevention: The most straightforward way to avoid this web security vulnerability is to use a framework. You might be able to implement this correctly, but the former is much easier. In case you do want to roll your own code, be extremely paranoid and educate yourself on what the pitfalls are. There are quite a few.
- Beware of multiple instances of similar parameters. Lastly, use only common sense safe methods of navigating web technology and languages. To prevent connection string parameter pollution in ethical hacking, it is important to maintain controlled and confidential connection string information.
- Make sure to perform extensive and proper input validation. All user-supplied data, which is reflected in the HTML source code of the HTTP response, should be encoded according to the context in which they are reflected.