A substantial security oversight is present in a variety of penetration testing tools, and it has to do with the different languages that a computer system can be set up to use – claimed and proved by Trustwave researchers, Luiz Eduardo and Joaquim Espinhara, at their talk – Lost In Translation (Presentation Slides)– at the recent Hack In The Box (HITB) Security Conference.
Eduardo and Espinhara found that majority of penetration testing tools analyse specific problems in web applications – e.g. SQL injection – via the return messages that are provided by the application, and not the error code that is reported by the database management system (DBMS).
As their research has shown, if the target SQL server doesn’t use English by default, the scanners won’t be able to find some obvious security problems.
There are a number of potential consequences of this issue. From an attackers’ perspective, this could be a nice post-exploitation trick. After compromising the host, the attacker could change the database language and thus protect his new “possession” from other attackers.
A shady database administrator that is expecting an external audit can use this issue to make his system look deceptive secure. This, as the researcher say, is security through obscurity at its best.
A lively discussion after the talk pointed out the evidently simplicity of this issue and the risk it poses, and the shortsightedness of developers that are not taking different languages into consideration while coding procedures to identify security risks.
Source: Bypassing Security Scanners by Changing the System Language