A substantial security oversight is present in a variety of penetration testing tools, and it has to do with the different languages that a computer system can be set up to use – Trustwave researchers Luiz Eduardo & Joaquim Espinhara claimed, at HITB Malaysia 2013 (Lost In Translation: Presentation Slides).
Eduardo & Espinhara found that majority of pentest tools analyse specific problems in web applications – e.g. SQL injection – via the return messages that are provided by the application, and not the error code that is reported by the database management system (DBMS).
Their research showed that if the target SQL server doesn’t use English by default, the tools will not find some obvious security problems.
There are a number of potential consequences of this issue.
From an attacker's perspective, this could be a post-exploitation trick. After compromising the host, the attacker could change the database language and protect his new “possession” from other attackers.
A shady database administrator that is expecting an external audit can use this issue to make his system look deceptive secure. This is security through obscurity at its best.
This is a fine example of how a lack of security deliberation in coding procedures could lead to security risks.
Shared by Emil Tan, Skipper & Co-Founder, Div0.