News Stay informed about the latest enterprise technology news and product updates.

SQL injection attacks targeting Flash, JavaScript errors

Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

SQL injection has been the most common attack method among hackers recently and users can expect attacks against...

newer programming languages such as Flash and Java to increase over time, experts say.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Jacob West, security group manager of Fortify Software, said that Flash, JavaScript, and a collection of Web 2.0 technologies are now at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server. When individuals or IT professionals work with data processing on the client side in Web 2.0 technologies, one must be extra careful about where they execute the validation, West said.

"The 'bad guy' might replace your client with a different client," West said. "The problems aren't new, it's just more of the same problems and harder to solve."

With Flash coding, the biggest problem is that the person coding the Flash application is potentially writing the vulnerabilities into it, allowing the code to be vulnerable to exploitation, West said.

"People who are building these codes need to build from the ground up and have a mature software security assurance program to avoid vulnerabilities," West said.

SQL injection attacks:
New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites.

SQL injection attack infects hundreds of thousands of websites
: Security experts are watching massive numbers of automated SQL injection attacks from Chinese domains. Attackers use simple search engine queries to build a list of targets.

New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

SQL injection is commonly known as an "old school attack," and has been consistently used by hackers. Last summer researchers detected a larger wave of SQL injection attacks against websites globally.SQL injection attacks remain popular because it is a relatively easy method and many websites are vulnerable to the attack. It is a malicious code injection technique in which the attacker adds SQL code to a Web form input box to gain access to resources or make changes to data.

The latest high-profile SQL injection attack was against a U.S.-based website owned by antivirus vendor Kaspersky Lab. Kaspersky acknowledged a coding error in its customer support website, which was exploited by an anonymous white-hat hacker exposing thousands of customer email addresses and software activation codes.

Many experts, such as Fortify's West, are advising developers to think more about security when they're coding to prevent these attacks. Although the number of SQL injection attacks has declined since last summer, about 14-16% of all websites characterized as important are vulnerable, said Jeremiah Grossman, founder and chief technology officer of WhiteHat Security.

The emergence of a method to pull off wide-scale SQL injection attacks has made the technique even more popular, said Grossman.

"Before SQL injections, an attacker had to exploit one site at a time, but now they found a generic way to insert data in the database, creating a widespread vulnerability," Grossman said.

The type of technology a hacker attacks does not matter to the hacker as long as they are able to exploit vulnerabilities, Grossman said.

"SQL injection, cross-site scripting (XSS) and a bunch of other attacks will occur [in the future], and it won't matter whether you're using 1.0 or 2.0 technology -- it's all the same," Grossman said.

Gary McGraw, chief technology officer of Citigal Inc., a software security and quality consulting firm with headquarters in Washington D.C., said as long as vulnerabilities are present within a technology, no attacker will stop attempting to exploit it, and the attacker will use whatever technology is available to him, McGraw said.

In the past, there was a "coolness" factor among attackers associated with new attacks versus old attacks, McGraw said.

However, "as the attacker profile has shifted from disgruntled adolescents to professional criminals, the coolness factor is no longer a big deal," McGraw said. "[Attackers] no longer care about how advanced their attack is."

West said that while SQL injection attacks are high, it is also so common that many IT professionals know it, making it easier to eliminate the possibility of successful SQL injection attacks against a database than cross-site scripting (XSS). West predicts cross-site scripting will continue to increase because it is very difficult to fix, while SQL injection attacks will become less and less common.

Researchers have been trying to figure out ways to get developers to think more about security when they develop programs. Last month, dozens of security experts released the CWE/SANS Top 25 dangerous programming errors list. Companies can protect themselves from SQL injection and Flash-based attacks by developing a software-assurance security program, having the right code vulnerability scanning software, and the right processes to make sure you have a secure development lifestyle, West said.

WhiteHat Security's Grossman advised users and companies to know what websites they own and value them accordingly.

"Find the vulnerabilities in the sites before the 'bad guys' do and fix the sites," Grossman said. "These are solutions that have been around for a long time."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.