Week 11 Takeaways

Reading Summary: SQL Injection

SQL injection is one of the most common vulnerabilities in web applications and that is why it is very crucial to test for vulnerabilities when one creates a website since it might allow modification of the URL in such a way that it can maliciously connect to the database and extract/modify/delete important data. SQL injection is used to perform operations on the database, bypass authentication mechanisms, read otherwise unavailable information from the database and write information to those databases. There are various ways to find SQL injection bugs such as using a single quote or a semicolon. If an error results, then the application is vulnerable. If there is no error, then make sure to check for any output changes.

Question for the class:
Have you experienced a SQL injection attack and what tools/techniques did you use to go back to operational mode?

In the news:

“Hacker group claims to have looted $100 via SQL injection attack”

A group of hackers known as TeamBersek took credit on Twitter for using a SQL injection attack to access usernames and passwords in plaintext for customers of Sebastian, a California based Internet, phone and TV service provider. It then leveraged those credentials to steal $100,000 from online accounts. The issue existed with recycling the same passwords across multiple accounts. Also, it is interesting to note that in July, cyber crooks were charged with hacking more than a dozen companies and using SQL injection to steal 160 million credit card numbers.

You can find more information about this article here.