Mass SQL Madness

Does this sound familiar…? We should all understand SQL Injection.  I hope.  Maybe.  Maybe not.

SQL injection is one of the longest standing, most widely understood website security flaws.  This may be the one WASC Threat Classification that your executive team may actually know by name, without *any* coaching.  (they read the Wall Street Journal- they’ve seen this for years now…)

I am not a FUD guy, but this is scary. (great article on ZDNet by Dancho Danchev)  This serves as a reminder- yet ANOTHER major, generic, multi-website security attack we’ve seen in the wild.  Historically, this is setting a precedent with some very noteworthy shifts in widely adopted beliefs.

  1. Website vulnerabilities are specific and unique (this isn’t the first occurence of a generic website vulnerability)
  2. SQL Injection is an attack against the server (yes, the attack is, but the attacker here is yet AGAIN using a legitmate looking site serve *client side* exploits
  3. Exploits are now multi-faceted, these attack payloads are now including vulnerabilities for unpatched plugins and client side software (Adobe’s Flash, Acrobat Reader, etc)

Again, go get the full article from ZDNet, enjoy Dancho’s article here.

SANS Internet Storm Center

Symantec article

Shadow Server Article, exploit sites


2 Responses to “Mass SQL Madness”

  1. Rafal Los Says:

    Hey… SQL Injection is so popular lately, it even made the DailyWTF pages…

  2. Slcxspnp Says:

    b49UqM comment5 ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: