basically this SQL Injection attack allows a malicious "hacker" to log into sites that use SQL to keep track of users and their password. Basically what happens is that you enter a username and in the password you enter an SQL statement that will make the database think that the password was correct. This security hole pertains to MANY forums, banks, and retailer sites.
"SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another."
more info here
http://en.wikipedia.org/wiki/SQL_injection
pretty interesting stuff.
-Tomek
SQL Injection Attacks
-
Beancooker
- Posts: 8456
- Joined: Mon Jun 26, 2006 1:45 pm
- Car: Current Car: 2024 Tesla Model 3
Past cars: Way too many to list - Location: Cottonwood, AZ.
Re: SQL Injection Attacks (sstomek)
And I have a disc that I can put in a PC and it will delete the password cache, and then I have full access to a password protected PC. There are many out there to steal info, just have to be careful, that's all.
Re: SQL Injection Attacks (beancooker)
SQL Injections are a bit more insidious. First of all, to take control of that PC you must be physically in front of it. SQL injection attacks can be launched from anywhere in world with an internet connection and a web browser. Unless specific code is written to block and log SQL Injection attempts they will go unnoticed. That is of course until the damage is done.
Imagine that Verizon's website has not been designed correctly and is vulnerable to a SQL Injection attack. Joe Schmo 'hacker' (let's call him l33t) exploits this and gains system level access to Verizon's data farm. L33t gives himself an administrator account to Verizon's database server. L33t can now access Verizon's data at anytime he pleases, from any computer with an internet connection. The worst part is that it went completely unnoticed unless verizon is running some sort of user auditing software that compares the user account tables to the previous audit.
L33t goes home and writes up a simple application. The application connects to Verizon's database server and accesses the Customer Billing table containing account information for 100 million customers. The softare then filters out all accounts that do not pay by checking account direct withdraw. We'll say that we are left with 30 million custimors. Next the checking account and routing numbers are harvested. The last thing the application needs to do is transfer an insignificant amount of money, lets say 1$, from the victim's checking account into L33t's own offshore account - BAM - 30million richer after a few hrs 'work'.
Imagine what he could do with all those CC numbers.
Fear,Mat
Imagine that Verizon's website has not been designed correctly and is vulnerable to a SQL Injection attack. Joe Schmo 'hacker' (let's call him l33t) exploits this and gains system level access to Verizon's data farm. L33t gives himself an administrator account to Verizon's database server. L33t can now access Verizon's data at anytime he pleases, from any computer with an internet connection. The worst part is that it went completely unnoticed unless verizon is running some sort of user auditing software that compares the user account tables to the previous audit.
L33t goes home and writes up a simple application. The application connects to Verizon's database server and accesses the Customer Billing table containing account information for 100 million customers. The softare then filters out all accounts that do not pay by checking account direct withdraw. We'll say that we are left with 30 million custimors. Next the checking account and routing numbers are harvested. The last thing the application needs to do is transfer an insignificant amount of money, lets say 1$, from the victim's checking account into L33t's own offshore account - BAM - 30million richer after a few hrs 'work'.
Imagine what he could do with all those CC numbers.
Fear,Mat
Re: (BoostsFed)
Yeah but you are talking about only about 5% of all people that call themselves web developers.BoostsFed wrote:a competent web developer should already know how to make the application secure.
