Bypassing security scanners by changing the system language

A substantial security oversight is present in a variety of penetration testing tools, and it has to do with the different languages that a computer system can be set up to use, claimed and proved Trustwave researchers at the recently held Hack In The Box conference in Kuala Lumpur.

Luiz Eduardo and Joaquim Espinhara’s found that the majority of pentesting tools analyze specific problems in web applications – such as SQL injection – via the return messages that are provided by the application, and not by the error code that is reported by the database management system.

So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesn’t use English by default, the scanners won’t be able to find some obvious security problems.

Results from using a commercial scanner on two different web applications running in environments with different languages (English, Portuguese and Russian) demonstrated different discovery rates of critical and non critical vulnerabilities.

Web application #1:

Web application #2:

There are a number of potential consequences of this issue. From an attacker’s perspective, this could be a nice post-exploitation trick. After compromising the host, the attacker could change the database language and thusly protect his new “possession” from other attackers.

A shady database administrator that is expecting an outside audit can use this issue to make his system look deceptively secure. This, as the researchers say, is security through obscurity at its best.

A lively discussion after the talk pointed out the evident simplicity of this issue and the risk it poses, and the shortsightedness of developers that are not taking different languages into consideration while coding procedures to identify security risks.