By Ed Skoudis
Sherwood Forest Bank
was a medium-sized, regional financial institution. The bank recently deployed a new Internet-accessible web application. Using this application, Sherwood Forest's customers could access their account
balances, transfer money between accounts, pay bills, and conduct other on-line financial business through a web browser.
The Sheriff of Nottinghack was in charge of information security at Sherwood Forest Bank.
After one month in production, the Internet banking application was the object of several customer complaints. Mysteriously, the account balances of many of Sherwood Forest's wealthiest customers had been
changed! However, money hadn't been removed from the bank. Instead, money was transferred between accounts. An attacker had taken money away from high-balance accounts, and moved dollars to the
accounts of some of the less-well-off bank customers. Someone was hacking from the rich and giving to the poor!
Given this attack profile, the Sheriff assumed it was his old nemesis, Robin Hack, up to his
tricks. To understand how Robin and his band of Merry Hackers had accomplished this attack, the Sheriff reviewed the web application's logs. Although the team that designed the web application lacked a great
deal of security knowledge, they were at least bright enough to include reasonable application-level logging. The following is an excerpt from the Sherwood Forest's on-line banking web application logs:
Attempted login of unknown user: zzzx
Attempted login of unknown user: zzzy
Attempted login of unknown user: zzzz
Attempted login of unknown user: bar";
Attempted login of unknown user: ' or 1=1--
Attempted login of unknown user: '; drop table test--
Login of user buy, sessionID= 0x75627579626F6F6B
Login of user counter, sessionID= 0x75627579539E13BE
Login of user hack, sessionID= 0x7562757944CCB811
Login of user surf1, sessionID= 0x7562757935FB5C64
Logout of user surf1
Login of user rich_guy, sessionID= 0x75627579272A00B7
Transfer Funds user rich_guy
Pay Bill user rich_guy
Logout of user rich_guy
1) What types of attacks had Robin Hack attempted, and which one most likely succeeded?
2) What kind of tools would Robin use to conduct such an attack?
3) How should the web application have been developed to prevent this type of attack?
4) What should the Sheriff of Nottinghack do next?