The New Page of Injections Book: Memcached Injections

Presented at Black Hat USA 2014, Aug. 7, 2014, 5 p.m. (60 minutes).

Memcached is a distributed memory caching system. It is in great demand in big-data Internet projects as it allows reasonably sped up web applications by caching data in RAM. Cached data often includes user sessions and other operational information. This talk is based on research of different memcached wrappers to popular web application development platforms, such as Go, Ruby, Java, Python, PHP, Lua, and .NET. The primary goal is determining input validation issues at key-value data which could be used to inject arbitrary commands to memcached protocol. As a result, the Speaker found a way to do something like "SQL Injection attacks," but on memcached service. Such an attack in practice leads to different effects from authentication bypass to execution of arbitrary interpreter's code. It's a real world problem found on security audits and exists on different popular web applications.

Presenters:

  • Ivan Novikov - Wallarm
    Ivan Novikov is the CEO and Lead Security Expert of the Wallarm Company. He is the author of numerous research papers in the field of web application security and has been engaged in web applications security research since 2004. He has rewards from various bug-hunting programs, such as Google, Facebook, Nokia, and Yandex. He is also actively engaged in the development of a self-learning web application firewall system.

Links:

Similar Presentations: