Saturday September 6, 2008 11:34 AM AEST

SC Magazine Australia/NZ > News > Vulnerabilities & Exploits > Application Flaws > Sloppy developers blamed for SQL attacks

Vulnerability Alerts

SANS

Microsoft

MS08-022 – Critical: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) - Version:2.1
Microsoft Security Advisory (951306): Vulnerability in Windows Could Allow Elevation of Privilege

CERT/CC

Latest Comments

"I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. ..."

on Bank of New York loses 12.5 million customer details

by John Franks | Sep 6, 2008 1:20 AM

"iam intrested in porn movies workes in actors from 36/m india pleas help me thanks."

on Popular porn site hacked by prudes

by vinod agarwal | Sep 5, 2008 8:26 PM

"test for intresting"

on Forensic Tool Kit v 1.70

by cocoboy | Sep 5, 2008 5:39 PM

"It's great that Google have recognised that security needs to be an important consideration with ..."

on Layered security in Google Chrome browser

by Lloyd Borrett | Sep 5, 2008 11:53 AM

""Google arrived on the browser scene with the launch of Chrome"... Seems a bit misplaced to ..."

on Google Chrome flaws discovered

by Jeme | Sep 5, 2008 12:33 AM

Application Flaws

Sloppy developers blamed for SQL attacks

By Robert Jaques
May 2, 2008 9:51 AM
Tags: "SQL | attacks" | "sloppy | developers" |

Jacob West, manager of Fortify's Security Research Group, said: "SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities.

"But these attacks demonstrate that some organisations building web applications are still woefully behind the bad guys."

West believes that the solution to this and similar problems is a software development lifecycle designed to build in security from the ground up.

"Security is a critical attribute during the design, building, testing and deployment phases," he said.

"Software developed without a full-lifecycle approach, and the right tools to support each phase, is destined to suffer security compromises."

The tool behind the attack harnesses Google to search for sites that include a file type and parameter that appear to be susceptible to SQL injection.

The script then uses this list of targets to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the site.

"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem," said West.

"The software engineering and security fields need to provide developers with APIs that make it easier to get security right, and better tools and processes to ensure that the software they build with these APIs is secure."

Ads by Google

Thoughts on this article? Add a comment below.

Be the first to comment on this article.

Name:

Email:

(will not be displayed)

Comment:

(HTML not permitted)

Validation

Enter the code you see below:

Most Read
Most Discussed
Latest News

Vulnerabilities & Exploits Whitepapers

Sloppy developers blamed for SQL attacks

Sponsored Links

SC MAGAZINE SITEMAP

CATEGORIES

News

Alerts

Products

Stats

Blogs

Photo Galleries

Whitepapers

Events

Jobs

Downloads

Vulnerabilities & Exploits

Breaches & Exposures

Messaging

Mobile

Access Control

Biometrics & Forensics

Legal

Risk Management

Job Centre

Patch Management