SQL Injection Attacks

Compromising Transactional Web Sites


By Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA

 

jean-legault-50x50.jpg   Digital Fingerprints 

Organized cybercriminals are taking advantage of vulnerabilities that exist in the way dynamic Web sites operate by injecting malicious code that sites' database servers process. This, in turn, is infecting the computers of visitors to the affected sites.

These SQL injection attacks are nothing new. But, in the past, each attack was directed at "valuable" targets. Hackers most often selected these targets because their databases contained sensitive information that could be resold or used for identity theft. Today these attacks have become more widespread, and they're acting as vehicles for mass infection of Web sites, which leads to thousands of infected computers.

Cybercriminals target organizations because they store valuable information in their online applications. At the most basic level, improperly validated user input in a Web-based application causes these attacks. This user input is comprised of character "strings" that an attacker carefully crafts and injects into instructions sent to the database by the Web application to take aim at the database layer. Applications should validate all user input passed to the database, but some don't perform this function adequately. Instead they allow malicious code to be passed to the database for processing.

A successful SQL injection will allow the attacker to read sensitive data stored in the database, modify data, or modify the database itself. It can also execute various administration commands on the database server.

 


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.


 Your Rating:
Your Review:
  
Reviews