SQL Injection attack still going strong.

by Allan Svelmøe Hansen May 15, 2008 07:17
Well, it seems that SQL Injection attack is still going strong, this late in development of websites. Hello, 1995 called and it wants its security threats back.

That strikes me as very odd to understand, because it is so very easy to safeguard against, simply by using parameterized queries (or stored procedures).

Apparently a worm is these days crawling around the web called winzipices.cn, which "exploits" asp/asp.net pages by performing injection attack on them. Now this might just be "old" unpatched, non-updated, web sites from days of yonder, however not long ago I came across a website displaying sports results, with a query string which looked dangerously a lot like it was vulnerable to SQL Injection. (and no, I’ll not provide the link)

So – being a programmer I gave it a little try and behold, I managed within a few seconds to get actual SQL out on the page as an error list. Of course it was a very harmless thing I did, and it gave an SQL error, displaying “incorrect syntax near” and a large fragment of SQL, enabling to start deducting their code.

Naturally – I am not intent on doing harm to anybody, so I ceased my testing and mailed the webmaster for the webpage. Needless to say I’ve now, weeks later, heard nothing in return. Maybe I should revisit their site and check.
In my view – the least they could do would be to reply when I was just trying to do them a favor. At least to tell me they are not vulnerable to the attack type, or something. Of course, if they were vulnerable, I’m sure they’d not tell a complete stranger though opening themselves up to concentrated attack, so ….. I wonder ;)

So – when/if you are making a webpage, or just using some pre-fabricated system. Make sure that something as simple as SQL Injection attack isn’t possible. It is one of the easiest attack forms to guard against, and it can cause high amounts of havoc if done against an important business database, or perhaps an e-commerce site. Imagine all your prices dropping to 1 instead of the thousand it might cost. Imagine your entire sales records vanishing.
Bookmark and Share DotnetKicks dotnetshoutout

Tags: ,

SQL

Permalink | Comments (0) | Post RSSRSS comment feed

Add comment




  Country flag

biuquote
  • Comment
  • Preview
Loading



Powered by BlogEngine.NET 1.6.1.0
Theme by Mads Kristensen | Modified by Mooglegiant

About:
Allan Svelmøe Hansen

My real name is Allan Svelmøe Hansen.
I live in Denmark, where I work as a developer for hedal:kruse:brohus using SQL Server and the .NET framework since 2004.
My primary fields of expertise is back-end data integration, database design and optimization.


       View Allan Svelmøe Hansen's profile on LinkedIn     

Disclaimer

The opinions expressed herein are my own personal opinions and thoughts and does not represent my employers view in any way, nor are my results guaranteed for all situations.
Content is presented "as is", with no warranty.