Experts rebuke programmers who use SQL injection as feature
Programmers who aren't security savvy are coding SQL injection as a feature in some Web applications, putting users at risk when an application goes live or is distributed to affiliates of online advertising networks.
The coding is critical to the way the application runs. The problem is so pervasive that some security vendors, including TippingPoint, ship their intrusion prevention systems (IPS) with SQL injection protection filters disabled by default to avoid breaking applications.
Rohit Dhamankar, director of security research at TippingPoint's DVLabs, said the company's global IPS honeypots have detected spikes in SQL injection attacks taking advantage of the SQL injection features coded in some Web applications. TippingPoint keeps track of global threats by capturing attack attempts in its IPS filters. It also anonymously tracks how customers configure their IPS.
"The people that write these applications sometimes don't realize that they have inadvertently put SQL injection as a feature for the applications," Dhamankar said. "One of the spikes came because one of these advertising companies was using a flaw, a SQL injection vulnerability to distribute reports to all its affiliates."
Defend against SQL Injection:
SQL injection continues to trouble firms, lead to breaches: Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites.SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.
The SANS Institute called SQL injection and cross-site-scripting attacks the two biggest problems on the Web in a report released this week, The Top Cyber Security Risks. The errors are also often the most overlooked by companies. Yet SQL injection was the method used by attackers in the largest data security breach in U.S. history.
Web application vulnerability flaws in open source and custom-built applications account for more than 80% of the vulnerabilities being discovered, SANS said in its report. The research broke down the SQL injection errors as "SQL injection using SELECT SQL statement," "SQL injection evasion using string functions," and "SQL injection using boolean identity," all errors that could be corrected in the software development lifecycle prior to the flawed application going live.
Dhamankar said poorly coded online advertisements leads to the kind of problem experienced by New York Timeswebsite visitors last weekend. Once a flaw is exploited, attackers can poison the ads and redirect visitors who click on them to malicious websites. Automated scripts in those sites check for flawed browser plug-ins and other unpatched applications, giving the attacker a foothold to infect a victim's computer.
The New York Times partially uses an ad affiliation network. Last weekend, an approved ad appeared legitimate, but the attackers replaced it with malicious ads, which then displayed a pop-up advertisement warning users that their machines had been infected and they needed to click the link to disinfect their computer.
The problem is becoming extremely pervasive but SQL injection errors are often difficult and costly to fix, experts say. A vulnerability scan can turn up thousands of errors that lend themselves to SQL injection.
