Who want’s to be be a sex offender

Date April 18, 2008

There’s been a few of the “click a link, go to jail” posts recently, but this SQL injection vulnerability in Oklahoma’s sex offenders roster (which I found on several blogs this morning) really takes the cake.  Basically, through a link on a page (a GET request no doubt, which makes CSRF so much easier), an attacker can modify the SQL query passed to the Oklahoma’s Sexual and Violent Offender Registry web-application  in order to pull data, including sensitive info like SSN’s, home address, email addresses, medical activity, etc.

This page apparently this has been “vulnerable” since Feb 2005 based on the revision history of the page (if the HTML comments are believed to be correct - another reason why you scrub them from production sites and there was some interesting info in there)!

The Dept of Corrections were notified of the issue, who then tried to fix it by doing a case-sensitive search/replace!

I really hope that the database connection string / DB user the webapp uses has “read only” permissions, but I very much doubt it.  Much more likely is that they are connecting with an admin login!  So, perhaps via a CSRF link even, someone could be added to the DB!

Sometimes I wonder about my job - how much “shelf time” there is in the webapp security field, where things are heading, how much work is out there for people like myself.  When I initially moved to Foundstone I figured that I might have a good few years before having to move to another field (nothing wrong with that) as everyone would have secure webapps as it’s not exactly rocket science after all (validation being 90% of the problem I believe).  Whenever my “faith” is tested however, stuff like this, and the misguided comments on the session expiration issue from a previous post always comes up - as a discipline we’ve got such a way to go. 

This may sound odd, but I would like to put myself out of work!  I want all the websites out there to be secure, that all the devs (and management) know about secure code so as not to make the obvious mistakes, and for the technologies/platforms to help protect developers (as well as the applications themselves) not “shoot themselves in the foot” and do “unsafe” things.  If that were to happen, there would literally be nothing for people like me to do other than the boring “3rd party validation/verification/compliance” testing.  How possible this is I have my doubts, but it’s a worthy goal to shoot for.

Guess there’ll be work for people like me for a long time to come!

Category Posted in Rant, Security

One Response to “Who want’s to be be a sex offender”

  1. April 18th, 2008 at 2:29 pm

    Read then write … | Don’t panic! said:

    [...] reading this article on The Daily WTF I found Mike Andrews’ blog post that said it [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>