I'm a little surprised by comments that most dev's wouldn't know what a SQL Injection attack was. Most developers I've worked with have a class with some kind with a function to sanitizing data against SQL Injection.
These days you don't see them used so often as SQL Parameters / Linq to SQL / Entity Framework / nHibernate, etc all offer protection against SQL Injection attacks. And many frameworks, such as MVC are making it easier then ever to protect against XSS attacks (and CSRF vulnerabilities to an extent), by making default syntax encode HTML. Only once have I had a situation where a site I had worked on had been hacked. It was an eCommerce application, and reports showed a discrepancy in the financial transactions. The amount paid by one person was a lot less than when they should have been charged. After a day or two of investigation, I stumbled upon how they did it: They had the shopping cart open, and put a cheap item in it worth about $1. They then 'copied' that tab in their browser. On the original tab they pressed 'pay' that redirected to the 3rd party payment gateway - so the payment gateway was asked to bill $1 against their order number. Before entering their credit card details, in the other tab they stacked on heaps of items into the same shopping cart (and therefore the same Order Number). They went back to the original tab, put in their Credit Card and paid the $1. When our system got back a valid certificate from the 3rd party payment gateway saying all was approved, it assumed that order number was successfully paid, and didn't double-check the payment amount vs the basket amount. Nathan On Wed, Sep 1, 2010 at 8:27 PM, Martin Hungerford < martinhungerf...@harboursat.com.au> wrote: > Corneliu, > > I currently work as a Uni and we recently had an attempted SQL injection > attack show up in the logs. It was the first I have seen in reality and we > all exclaimed over the log trace. Thanks for the application, we’ll give it > a go J > > > > Martin > > > > *From:* ozdotnet-boun...@ozdotnet.com [mailto: > ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Corneliu I. Tusnea > *Sent:* Wednesday, 1 September 2010 9:47 PM > *To:* ozDotNet > *Subject:* Re: [OT] SQL injection attack vectors > > > > Sam, > > > > I do a lot of work in this field and yes, developers without > any knowledge of what SQL Injection (or even XSS) is are the main culprit. > > Even with the current "tools" (.net, asp.net..) SQL Injection and XSS are > very common. I've seen loads of production apps with potential issues but, > as long as "nobody is hurt in some shape or form" nobody bothers to fix > them. > > "Hey, we've never been attacked" is the most common answer. > > But nobody can answer the question: "How do you know you've never been > attacked? Do you keep proper logs, do you have any clue if there isn't > someone out there who has a complete copy of your database without you > knowing it?" > > Just few weeks ago I've managed to do an relatively trivial XSS injection > on a popular .Net CMS system that's been out for ages. You kind of expect in > "good, reputable, solid" systems these type of issues to be ironed out but > heck, no, they are still there. > > > > Now, in the defense of some of these "developers" there are several > scenarios that are actually very hard to code safely even by an experienced > developer with loads of understanding of SQL Injection attacks. > > The best example is a complex search procedure for a website that has to > take different parameters so it's best to build the query based on the input > parameters. > > E.g. Search only some columns, filter by vendor, category, manufacturer, > maybe some checkboxes. Writing such a search is not easy if you want it > optimized and well performing, and this is quite often the Achilles's heel. > > > > Having a SQL Injection in any other scenario is a sign of pure low quality > development. > > > > Regards, > > Corneliu. > > > > PS>> Shameless Plug: I wrote a tool XSSAttack that can simulate a > successful XSS attack on your database. You can then see how your site > behaves once the XSS attack succeeded. Give it a try :) I challenge every > one of you that are developing websites :) > > http://xssattack.codeplex.com/ > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Sep 1, 2010 at 5:35 PM, mike smith <meski...@gmail.com> wrote: > > On 1 September 2010 15:06, Craig van Nieuwkerk <crai...@gmail.com> wrote: > > > > > I don't see how any legitimate programmer could claim to be unaware of > > such an issue; it's a core concept about how programming works. They > > may as well be confused that comments don't compile. > > > > Of the hundred plus developers I have worked with over the years, most > would stare at you blankly if you mentioned sql injection. Just the > other day I had to go to great lengths to explain it to some pretty > experienced developers. > > > > > > Point them here. > > > > http://xkcd.com/327/ > > > > > > > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, > you'll get it, but it's going to be rough" - Adam Hills > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.851 / Virus Database: 271.1.1/3105 - Release Date: 09/01/10 > 04:34:00 >
