Oklahoma Sex Offender Database Mishap

April 16, 2008
Dan Cornell

Saw a story over on TheDailyWTF about how the Oklahoma Department of Corrections completely mis-implemented their online sex offender database.  The site basically allowed you to input the SQL query you wanted to run and then returned the results.  I remember back in the good old days you at least had to have a trick or two up your sleeve in order to execute a SQL injection vulnerability…  Even worse, there were HTML comments indicating further information about how the database was structured.

The terrible thing is that even a quick scan of the application with any of the standard dynamic analysis tools would have caught this issue.  I think that we are rapidly reaching the point where if you haven’t even run a scan on your application to check for basic cross-site scripting (XSS) and SQL injection flaws then you are in a similar position to if you didn’t even bother to deploy a firewall.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Application Security Tools Information Security Security Programs Vulnerability Assessments Web Application Security

Leave a Reply

Your email address will not be published. Required fields are marked *