Monday, June 20, 2005

How SQL Injection Works

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true that we don't quite know the attack vector that was used to install trojan(s) on the CardSystems network. In my opinion, the three most likely possibilities are:

  • Social engineering: imagine one day you receive an official looking CD from your company's IT department. It's been snail-mailed to you directly, professionally emblazoned with the company logo and a pompous demand that you install the CD to ensure that your machine's security patches are current. This sort of thing may be what happened in the Israeli corporate espionage case.

  • Inside job: an insider, motivated by money, revenge or other factor, intentionally installed a trojan to expedite delivery of sensitive data to criminal parties.

  • SQL injection: a web application (say, a merchant access system) was compromised through SQL injection and a remote command execution hack (e.g., SQL Server's xp_cmdshell command or similar). Remote command execution offers the possibility of loading a malicious executable from an external FTP site... frightening, eh?

  • If you've ever wondered how SQL injection works... and how best to protect yourself against common web application attacks, this overview from UNIXwiz is one of the best I've seen.

    UNIXwiz: SQL Injection - by Example

    No comments: