Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Robert Lemos

The Danger in Web Database Flaws

Attacks that send database commands to the servers hosting a Web site have become a common way to compromise networks and infect visitors’ computers.

  • August 25, 2009

Last week, federal prosecutors indicted Albert Gonzalez, a man already charged with stealing nearly 100 million credit- and debit-card accounts from retailer TJX, for allegedly working with three other people to hack into another five companies. Gonzalez and his cohorts allegedly stole at least an additional 130 million credit- and debit-card accounts.

In each case, the initial compromise was through the victim’s Web site using a technique, known as SQL injection, that is rarely talked about outside of computer security circles.

The attack takes advantage of website components that allow user input, such as search boxes and login pages. If the Web application does not adequately check the validity of the string of characters, an attacker can enter a specially formatted string that, when processed, will be converted into a database command. Since most Web databases use the structured query language, or SQL, the attack is known as a SQL injection.

“It is a medium-level threat that the rest of the industry has ignored for so long, that the attackers have realized it’s a wide-open field,” says Dan Holden, product manager for IBM’s X-Force vulnerability research team.

Because Web developers are not typically programmers–and most programmers are not adequately taught security practices–online applications are rife with SQL injection flaws.

Big Blue has seen the number of SQL injection attacks double from the first to the second quarter of 2009. In the past few years, vulnerabilities that allow SQL injection to happen have occupied one of the top-three places in the annual list of flaws. Last year, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection.

“Developers are working in high-level programming languages and they just aren’t taught to deal with vulnerabilities,” Holden says. “Bugs and vulnerabilities occur because people make mistakes, and it’s people that program applications.”

Underscoring the danger, security firm ScanSafe announced this week that it had found nearly 100,000 Web pages that had been compromised using a SQL-injection attack to include malicious code.

“It is like it has hit puberty,” Holden says. “SQL injection has started to come into its own.”

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.