• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

The recent rash of SQL Injection - anything different?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Tue Jul 22, 2008 9:46 pm    Post subject: The recent rash of SQL Injection - anything different? Reply with quote

Hello,

I know a ton has been posted about SQL injection on these forums, but I wonder specifically if there was anything so dramatically different about the recent rash of injections?

The reason I ask is because our website developer is telling me that the site as written a year or so ago was secure again known SQL injection vulnerabilities at the time, but the recent version of attacks was able to slip past earlier efforts to secure the site. Sound reasonable or are they trying to cover their backsides?

Thanks for your opinions in advance
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Wed Jul 23, 2008 1:44 am    Post subject: Reply with quote

I'm not aware of any new advances in SQL injection techniques. It is generally the same old issues of filtering and encoding. Hope this helps.....
Back to top
View user's profile Send private message Visit poster's website
es0teric
Just Arrived
Just Arrived


Joined: 12 Jul 2008
Posts: 0


Offline

PostPosted: Wed Jul 23, 2008 5:50 am    Post subject: Reply with quote

No major recent developments in SQL injection that I'm aware of. If you want a site to check to know what you're up against, try this out...

http://milw0rm.org/

It's usually updated very quickly as new exploits and techniques become available.
Back to top
View user's profile Send private message
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Wed Jul 23, 2008 4:00 pm    Post subject: Reply with quote

Thank you for the feedback. Kind of what I suspected.

It is funny that one of the article the web designer suggested I read in an effort to prove his case actually states that a properly coded site would not have been as vulnerable to the recent wave of attacks.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Wed Jul 23, 2008 6:46 pm    Post subject: Reply with quote

I have sort of come late to this topic, but don't jump on your developers just yet. There was a new attack just recently, and I am totally blanking on the details, or where I found it. The harder I think about it, the less likely I will be able to remember it too.

Let me stew on it for a while. I am pretty sure it had to do with a specific application though, like Invision Power Board.
Back to top
View user's profile Send private message Visit poster's website
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Wed Jul 23, 2008 7:53 pm    Post subject: Reply with quote

Groovicus wrote:
I have sort of come late to this topic, but don't jump on your developers just yet. There was a new attack just recently, and I am totally blanking on the details, or where I found it. The harder I think about it, the less likely I will be able to remember it too.

Let me stew on it for a while. I am pretty sure it had to do with a specific application though, like Invision Power Board.


OK, I'll go easy on them for now.

What I have read so far suggests that the vulnerability exploited by the most recent attacks was the same as eariler SQL injection vulnerabilites, but that the statement was different.

Basically the developer knows that I'm no SQL or ASP wiz, and because of this I want to make sure they aren't trying to slither out of responsibility for any security issues that they may have overlooked.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Wed Jul 23, 2008 8:40 pm    Post subject: Reply with quote

Found it:
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
http://www.secureworks.com/research/threats/danmecasprox/
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

I was wrong about the target, but correct in remembering that it had a specific target; in this case ASP instead of IPB. Anyway, hopefully that will help.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register