Recently I spotted a piece of news about a type of network attack combining techniques we have discussed in recent articles involving Google Hacking and Buffer Overflow Attack . The incident, according to Forbes News¹ involves “using Google searches to track down sites vulnerable to so-called ‘SQL injections’.”

Essentially, the hackers use Google to hunt for sites with a problem in the web server program codes and exploit them using the knowledge gained from the error messages displayed on the problem websites. In this particular case, the hackers used the SQL command to take control of the sites under attack.

(If you are interested to know about how to work safely using SQL commands, read our post about Buffer Overflow Attack here: http://www.bestinternetsecurity.net/52.)

Some security experts attribute this situation to the usage of Microsoft-related technologies in web sites, such as Microsoft’s own Internet Information Servers (IIS) and its SQL server.

“Whitehat Security’s Grossman speculates that machines running that software were targeted because they allow several commands to be injected in a single user input field on the sites they host, making those sites easier to hijack,” according to Forbes News.

However, I have a different view, and this is the same comment that I expressed in my previous post: It does not matter what technologies you are using to run your websites. What does matter is taking extra care in writing programs that use SQL commands to manage program data. If in the original program design you fail to carefully validate users’ inputs, you will open doors to possible attacks. This is especially disastrous if you fail to do so with web application programming, like in the case we are discussing now.

But as I have also said, it is extremely difficult (if not totally impossible) to write completely bullet-proof code. But to be aware of what can happen if you do not take extra steps to write code that carefully lessens the risk of attack is more than half of the battle. Read the news in the reference section to know more about this case.

Reference:

¹Greenberg, A. (2008), Google-Hacking Goes To China, Forbes.com LLC, Available from: http://www.forbes.com/2008/04/28/hackers-google-china-tech-security
-cx_ag_0428hack.html?partner=yahootix [Accessed 28 April 2008]

Tags: SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack

Technorati Tags: SQL injections, Buffer Overflow, web application programming, SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack

Google hacking refers to the use of Google as a powerful search engine to uncover websites with security bugs and technical issues. Google, with its crawling engine, searches and indexes the content of websites around the world 24/7.  It essentially captures everything from normal website presentation to websites with technical problems, displaying error messages into its database in regard to visitors’ queries.

For example, it is not unusual to see an ASP website displaying errors messages such as:

“InvalidOperationException: Failed to map the path ‘/<Application_Name>/App_GlobalResources/’.”

This error message reveals the server’s application path as well as part of the server’s internal file structure. Experienced hackers can use this vital information to initiate an attack on that system.

Google contains probably the world’s largest collection of snapshots for any website.  It records an enormous number of websites with various error messages like the one above. Anyone who knows how can easily search for the relevant messages with advanced commands in search queries like “inurl:”, which will refine a search to look for particular error messages.

For further information on various advanced search query techniques, click here: http://www.google.com/help/operators.html

Johnny Long, a researcher, writer, and a “white” hacker for web application security, has written a useful book on Google hacking. Find more information by clicking the image:

Tags: Web Applications Security

Technorati Tags: Google hacking, inurl, Johnny Long, Web Applications Security