This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are especially dangerous in hosting companies which allow customers to connect against control panels to configure databases.
Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in DEF CON 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Recently has been selected to be presenting in HackCon#4 and HackCon #5 in Norway and in SchmooCon 2k9 in Washington DC, Black Hat Europe 2k9 , DEF CON 17 and Ekoparty and Argentina.
José Palazón "Palako" is globally responsible for mobile security at Yahoo!. With more than 9 years experience in security auditing, consulting and training for the public, private and academic sectors, his areas of expertise include mobile, web security, unix systems security and digital forensics. Frequent international speaker, he has presented, among others, at DEFCON (Las Vegas), Shmoocon (Washington) and FOWA (London), as well as published vulnerabilities in key sites such as securityfocus.com.