Feeds

No secret to stopping XSS and SQL injection attacks

Read, test, communicate, repeat

Intelligent flash storage arrays

SQL injection attacks and cross-site scripting exploits just won't die.

The most recent and high-profile incident was a mass webpage attack on more than 100,000 pages, which included victims as diverse as The Wall Street Journal, TomTom, and the UK's Strathclyde police.

There was a teetering stack of exploits involved in this hit: cross-site scripting that involved a banner-ads module on top of IIS using ASP.net, and malicious JavaScript on the site that users were redirected to. The initial weakness that made this mass attack possible allowed a set of SQL injection exploits to be run against the targeted websites.

But none of it would have been possible if the sites involved had been more resilient to SQL injection attacks. This signals a lack of awareness among developers — but we shouldn't just be pointing the finger at them. The problem also comes back to a lack of awareness among testers, who really should be actively testing applications for common security holes as a matter of course.

But the problem goes even deeper than that. The current emphasis on unit testing among developers has produced a myopic attitude to testing, in which integration testing — which would help to expose certain security flaws — is seen as too troublesome to bother with.

The frustrating thing about SQL injection attacks in particular, though, is that they're so easy to prevent in the first place — and easy to test for, of course.

Take the following query. Let's say we run a travel website where somebody searches for hotels in Blackpool. The query, constructed in your server code, would look something like:

SELECT * FROM hotels WHERE city = 'Blackpool';

In the search form, the user would enter a town/city. The server component extracts this value from the submitted form, and places it directly into the query.

Giving effectively free access to the database opens up all sorts of potential for sneaky shenanigans from unscrupulous exploiters. All the user has to do is add their own closing single-quote in the search form, plus some additional gubbins to turn it into a valid query:

Blackpool'; --

Everything after the -- is treated as a comment, so the door to your data is now wide open. How about if the user types into the search form:

Blackpool'; DROP TABLE hotels; --

Your server-side code will faithfully construct this into the following SQL, and pass it straight to the database, which in turn will chug away without question, just following orders:

SELECT * FROM hotels WHERE city = 'Blackpool'; DROP TABLE hotels; --';

Depending how malicious the attacker is, they could wreak all sorts of havoc or (worse, in a way) build on the "base exploit" to extract other users' passwords from the database. There's a good list of SQL injection examples here.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.