This is old news to some but worth repeating because I think it needs to be banged into some security professionals and developers heads. Last year HackersBlog had an interesting blog post. This time they have angered multinational mobile phone operator and internet service provider, Orange, by publicizing a security vulnerability on their blog. With a simple SQL injection attack, “Unu” was able to dig up the names, email addresses, and passwords of over 245,000 members. Of course, now Orange prepared legal action against HackersBlog.
It seems like every time I hear about a hack, it is always done with an SQL injection. SQL injections breached Kapersky, Trend, Computer Associates, and even U.S. Department of Defense servers. I was not surprised to find out that over 60% of websites are actually vulnerable to SQL injection by some estimates.
SQL injection or insertion vulnerabilities usually come from poorly-designed web applications that allow for hackers to interact with a database because input is incorrectly filtered for string literal escape characters and then passed into an SQL statement. This gives control of your server to an attacker by giving them the ability to read, write and manipulate all data stored in your backend systems.
SQL injection attacks are incredibly easy to both execute and prevent. It’s astonishing that they still remain a frequent problem for webmasters. A simple search engine query will give you dozens of pages with detailed instructions on how to prevent or execute basic SQL injections – it’s even on wikipedia. There are expensive product packages out there that protect against SQL injection, but they are really only necessary to prevent against the most “advanced” attacks.
These kinds of attacks seem to be on the rise with the ubiquity of web applications. Cenzic was wise to remind us that 80% of web applications contain security vulnerabilities, most likely SQL injections vulnerabilities.
It’s all pretty inexcusable. Even someone with little or no background in IT security could check and correct the common vulnerabilities found in web applications that employ SQL. And if this were done, we would knock out a huge chunk of all overall security breaches on the web. The issue seems to not be a lack of education but a lack of prioritization by project managers and management to allow developers time to actually solve application security vulnerabilities instead of pushing them to get a release out.
Email This Post
Print This Post
You must log in to post a comment.
{ 1 trackback }