Desi Programmer @ Work

SQL Injection Honeypot

One way to prevent hackers from finding vulnerabilities on your website is to keep them busy with fake ones. For instance few years ago when I was graduating in my undergrad programme, I developed a web based application to faciliate the data collection and publishing of my batch's Yearbook. The application provided the users interface to complete their profiles, write comments about their friends and upload photographs, of course after logging in.

The login procedure was much like any other site: user authenticated themselves using username and password which were matched from the database. However, if there was a single-quote in the user's provided username or password, the system gave an error message showing a query string which failed to execute. Not that it was a SQL injection vulnerability, I'd the message intentionally to see how people react after finding a potential vulnerabilty. Of course it only showed the message and didn't give the user any extra access.

Here is a code snippet of the authentication module:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// SQL Injection 'TEST'  
if( strpos($username,"'") !== false || strpos($password,"'") !== false )  
{  
    $sqlInjectionError = "  
    <p><font size=2>Microsoft ODBC MySQL Drivers Message:</font></p>  
    <p><B>Error in the query:</B></p>  
    <p>[Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE
    GadhayKaRollNo = '".$_POST['username']."' AND GadhayKaPassword =
    '".$_POST['password']."'";  
}  
// End SQL Injection 'TEST'

e.g. if someone provided username admin and password x' OR '1'='1, they would get the response:

Microsoft ODBC MySQL Drivers Message: Error in the query: [Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE GadhayKaRollNo = 'admin' AND GadhayKaPassword = 'x' OR '1'='1'

I'd initially included it as humor but later found out that some of my fellows didn't get the joke and started getting excited about the "vulnerability". They got challenged and tried all sorts of SQL injection attacks. I started logging those breaking in attempts and found some further clever techniques being applied I wasn't aware of before. This simple snippet served as a HoneyPot, attracting hackers and giving away some important information as to what they are trying to do and what different techniques they apply once they see some potential as well as diverted their attention away from find some other subtle vulnerabilties which actually existed.

Posted by Sharjeel Ahmed Qureshi