Recently I spotted a piece of news about a type of network attack combining techniques we have discussed in recent articles involving Google Hacking and Buffer Overflow Attack . The incident, according to Forbes News1 involves “using Google searches to track down sites vulnerable to so-called ‘SQL injections’.”

Essentially, the hackers use Google to hunt for sites with a problem in the web server program codes and exploit them using the knowledge gained from the error messages displayed on the problem websites. In this particular case, the hackers used the SQL command to take control of the sites under attack.

(If you are interested to know about how to work safely using SQL commands, read our post about Buffer Overflow Attack here: http://www.bestinternetsecurity.net/52.)

Some security experts attribute this situation to the usage of Microsoft-related technologies in web sites, such as Microsoft’s own Internet Information Servers (IIS) and its SQL server.

“Whitehat Security’s Grossman speculates that machines running that software were targeted because they allow several commands to be injected in a single user input field on the sites they host, making those sites easier to hijack,” according to Forbes News.

However, I have a different view, and this is the same comment that I expressed in my previous post: It does not matter what technologies you are using to run your websites. What does matter is taking extra care in writing programs that use SQL commands to manage program data. If in the original program design you fail to carefully validate users’ inputs, you will open doors to possible attacks. This is especially disastrous if you fail to do so with web application programming, like in the case we are discussing now.

But as I have also said, it is extremely difficult (if not totally impossible) to write completely bullet-proof code. But to be aware of what can happen if you do not take extra steps to write code that carefully lessens the risk of attack is more than half of the battle. Read the news in the reference section to know more about this case.

Reference:

1Greenberg, A. (2008), Google-Hacking Goes To China, Forbes.com LLC, Available from: http://www.forbes.com/2008/04/28/hackers-google-china-tech-security
-cx_ag_0428hack.html?partner=yahootix
[Accessed 28 April 2008]

Tags: SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack