• Subscribe to the low volume list for updates.

SQL Injection Demystified

Darkreading has a great article up on SQL Injection. This form of attack has been around for a long time, and happens because of poor dynamic website coding practices. A simple SQL injection vulnerability can often be exploited to gain full access to the database and / or full control of the database server.

Now would be a good time to check your site try our scanner for a quick check against possible HTTP GET injection. Be sure to enter the full url with the additional parameters that will be tested. Ie: www.mysitetotest.com/listproducts.php?cat=3 or www.examplesite.com/article.asp?id=3. Once you have checked this form don't forget that form based SQL Injection is also very easy to exploit. For testing form based sql injection attacks try the firefox plugin SQL from Security Compass - SQL Injection - Exploit Me - Firefox Plugin

Several high-profile hacks over the past year including those at Heartland, Hannaford Bros., and 7-11, all have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason -- the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

Dark Reading - SQL Injection Demystified