Saw this article about how SQL injection attacks are on the rise. That isn’t surprising because SQL injection attacks are easy to automate and they can turn up opportunities for malicious attackers to steal or destroy a lot of sensitive data. My question is: “Are SQL injection vulnerabilities on the rise?”
We have seen folks getting better at guarding against these vulnerabilities. As most organizations have at least made a first pass at assessing applications they have found and hopefully corrected egregious SQL injection flaws. These are one of the web application vulnerabilities that the automated scanners can find, so even folks who want to run a scan and pat themselves on the back for being secure ought to be getting over this hurdle. Same thing with cross-site scripting (XSS) and other technical and configuration-related flaws.
My next question is: “How many organizations are going to stop there?” Because the interesting vulnerabilities we find in our assessments are invariably logical vulnerabilities in applications. Attackers might not be able to automatically find and exploit these vulnerabilities, but it is also a lot harder to detect that these attacks are being launched. Your IDS might have some rules looking for ‘ and < characters in HTTP inputs, but it is not going to know that someone switched their UserID or AccountID cookies to look at records they shouldn’t see.
I don’t think we will ever see an article titled “Logical Application Attacks On the Rise” but that doesn’t mean they aren’t.
dan _at_ denimgroup.com