SQL injection attacks targeting Flash, JavaScript errors

By Erin Kelly, Contributor 09 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SQL injection has been the most common attack method among hackers recently and users can expect attacks against newer programming languages such as Flash and Java to increase over time, experts say.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Jacob West, security group manager of Fortify Software, said that Flash, JavaScript, and a collection of Web 2.0 technologies are now at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server. When individuals or IT professionals work with data processing on the client side in Web 2.0 technologies, one must be extra careful about where they execute the validation, West said.

"The 'bad guy' might replace your client with a different client," West said. "The problems aren't new, it's just more of the same problems and harder to solve."

With Flash coding, the biggest problem is that the person coding the Flash application is potentially writing the vulnerabilities into it, allowing the code to be vulnerable to exploitation, West said.

"People who are building these codes need to build from the ground up and have a mature software security assurance program to avoid vulnerabilities," West said.

SQL injection attacks: New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. SQL injection attack infects hundreds of thousands of websites: Security experts are watching massive numbers of automated SQL injection attacks from Chinese domains. Attackers use simple search engine queries to build a list of targets. New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

SQL injection is commonly known as an "old school attack," and has been consistently used by hackers. Last summer researchers detected a larger wave of SQL injection attacks against websites globally.SQL injection attacks remain popular because it is a relatively easy method and many websites are vulnerable to the attack. It is a malicious code injection technique in which the attacker adds SQL code to a Web form input box to gain access to resources or make changes to data.

The latest high-profile SQL injection attack was against a U.S.-based website owned by antivirus vendor Kaspersky Lab. Kaspersky acknowledged a coding error in its customer support website, which was exploited by an anonymous white-hat hacker exposing thousands of customer email addresses and software activation codes.

Many experts, such as Fortify's West, are advising developers to think more about security when they're coding to prevent these attacks. Although the number of SQL injection attacks has declined since last summer, about 14-16% of all websites characterized as important are vulnerable, said Jeremiah Grossman, founder and chief technology officer of WhiteHat Security.

The emergence of a method to pull off wide-scale SQL injection attacks has made the technique even more popular, said Grossman.

"Before SQL injections, an attacker had to exploit one site at a time, but now they found a generic way to insert data in the database, creating a widespread vulnerability," Grossman said.

The type of technology a hacker attacks does not matter to the hacker as long as they are able to exploit vulnerabilities, Grossman said.

"SQL injection, cross-site scripting (XSS) and a bunch of other attacks will occur [in the future], and it won't matter whether you're using 1.0 or 2.0 technology -- it's all the same," Grossman said.

Gary McGraw, chief technology officer of Citigal Inc., a software security and quality consulting firm with headquarters in Washington D.C., said as long as vulnerabilities are present within a technology, no attacker will stop attempting to exploit it, and the attacker will use whatever technology is available to him, McGraw said.

In the past, there was a "coolness" factor among attackers associated with new attacks versus old attacks, McGraw said.

However, "as the attacker profile has shifted from disgruntled adolescents to professional criminals, the coolness factor is no longer a big deal," McGraw said. "[Attackers] no longer care about how advanced their attack is."

West said that while SQL injection attacks are high, it is also so common that many IT professionals know it, making it easier to eliminate the possibility of successful SQL injection attacks against a database than cross-site scripting (XSS). West predicts cross-site scripting will continue to increase because it is very difficult to fix, while SQL injection attacks will become less and less common.

Researchers have been trying to figure out ways to get developers to think more about security when they develop programs. Last month, dozens of security experts released the CWE/SANS Top 25 dangerous programming errors list. Companies can protect themselves from SQL injection and Flash-based attacks by developing a software-assurance security program, having the right code vulnerability scanning software, and the right processes to make sure you have a secure development lifestyle, West said.

WhiteHat Security's Grossman advised users and companies to know what websites they own and value them accordingly.

"Find the vulnerabilities in the sites before the 'bad guys' do and fix the sites," Grossman said. "These are solutions that have been around for a long time."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary