This past week I fixed a third site in three months that suffered from a SQL injection attack. (Not sites Zajon built.) Last year I saw one site with this problem.
I thought I'd pass along this information/tool regarding SQL injection attacks on sites that use databases. If your corporate web sites uses a database to track or record information, or you manage sites like that for clients, I'd recommend you read look at this.
HP has developed a tool, called "scrawl"to test sites for SQL injection attacks. They have posted a free version of the tool (it runs on Windows PCs - not Macs) that has some restrictions when compared to the retail version. Here is the URL from HP's security Blog where they discuss this tool.
http://www.communities.hp.com/securitysoftware/ blogs/spilabs/archive/2008/06/23/ finding-sql-injection-with-scrawlr.aspx
I would suggest you download and run this tool if you don't have a way for testing database driven sites with for SQL injection vulnerabilities. While it is not perfect - so don't think your site is invulnerable if no problems are reported. The Scrawl tool is a good place to start.
- Post Script (July 17): I sent an e-mail, which had the same information as this post, to several of my clients and people with which I work. Today I heard from an angency I work with, one of their client sites had suffered an SQL injection attack. The count is now four in three months.
Twelve bloggers blogging about SES London 2010
41 minutes ago
0 comments:
Post a Comment