During the Christmas break the Internet Storm Center had good coverage on the latest MSSQL based sql injection worm that appears to have infected over 1 million Microsoft based web pages.
Recall back in November last year when we published a history of sql injection attacks, and followed that up with a sql injection tutorial. The purpose of these publications is to increase awareness of sql injection and to familiarize users with securing dynamic web applications. For testing and understanding the attack we have an online sql injection test that allows anyone to quickly test a HTTP GET based URL for a sql injection vulnerability.
It is normal to assume that when implementation of security has a cost associated with it; in the form of development time or code fixing, there will be those who hold off until disaster strikes. However it seems that unless that disaster directly affects the organisation, pushing applications out that have been untested or security reviewed continues to be the normal practice.
