Saw a story over on TheDailyWTF about how the Oklahoma Department of Corrections completely mis-implemented their online sex offender database. The site basically allowed you to input the SQL query you wanted to run and then returned the results. I remember back in the good old days you at least had to have a trick or two up your sleeve in order to execute a SQL injection vulnerability… Even worse, there were HTML comments indicating further information about how the database was structured.
The terrible thing is that even a quick scan of the application with any of the standard dynamic analysis tools would have caught this issue. I think that we are rapidly reaching the point where if you haven’t even run a scan on your application to check for basic cross-site scripting (XSS) and SQL injection flaws then you are in a similar position to if you didn’t even bother to deploy a firewall.
–Dan
dan _at_ denimgroup.com