IBM DataPower XI50 - More security problems

A colleague forwarded me this link which highlights what appears to be a severe memory limitation with the IBM DataPower XI50. It appears that the device is having trouble applying an XML digital signature to a 100MB XML file.

This brings back the issue of using knowledge of the complexities involved in XML digital signatures to execute a Denial of Service (DoS) attack. Using this information an attacker could search for a DataPower device currently performing XML signatures on much smaller documents and take down the box with a single large document. I guess you might say this post highlights not one, but two problems with IBM DataPower: (a) The fact that it can't handle digital signatures on large XML, and (b) The fact that this fact results in a potential DoS vulernability.

Posted by Blake Dournaee on 5:46 PM 6 comments

SQL Injection in USA Today

I was recently on a business trip last week and somehow I picked up a copy of "USA Today." This newspaper tends to find me rather than the other way around. Normally I try to avoid it, but am always drawn to it even if its just to see what the average American is supposed to care about.

I was looking through the business section and I was shocked to see a story on the front page on SQL Injection attacks!

I was surprised for a number of reasons. First off, SQL injection, or the attempt to insert SQL queries to return database information or spoof a login, is a very specific type of attack, but the USA Today story makes it seem like the average user should be "worried" about this type of attack, which is a little funny. It also claims that SQL injection turns your computer into a bot I think that attacks like cross-site request forgery or cross-site scripting have a much higher impact on the average Joe. XSS and CSRF can affect casual browsing if a user simply browses the wrong section of a website (such as the 'forums') where someone has managed to inject a <script&rt; tag.

Upon careful dissection, this article seems instead to be a sort of advertising placement for IBM:

"For the first five months of 2008 IBM ISS helped large corporations block about 5,000 SQL attacks a day. By mid-June, daily attacks spiked to 25,000;"

This is a bit ironic compared to the news that came out earlier in the year regarding the DoS attack against IBM DataPower or the problems the device has with persistent connections. I sure hope IBM ISS isn't recommending the DataPower device as an application firewall to protect against SQL injection!

As for content threats themselves, this is a very interesting area that I am sure will experience more growth in both the types of threats devised as well as the protection mechanisms. What is needed is a high-performance content processor that can at a minimum scan for different types of attacks within the application payload but also must be extensible as attacks are always changing and evolving.

What worries me the most here are cases of an attack that rely on an application firewall to keep state between HTTP requests. That is, rather than the attack being defined as a single SQL injection, or script injection it may be defined across a set of messages. In other words, the attack can't be detected by looking at a single message, but by a pattern of messages.

Posted by Blake Dournaee on 8:42 AM 2 comments


About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy