Martin, sounds like a sign that they're actually teaching their students about such attack techniques, which is bad on your end, but is probably a good thing given the comments here.
Now that you mentioned uni, I have to say I don't recall ever being taught anything about SQL or XSS injection techniques, or any other basic attack vectors. In fact, I explicitly remember there usually being a statement on assignments saying that you can assume the input will be valid. Maybe that's part of the problem. ------- XSS injection is a little more difficult to guard against comparatively, given it is context dependent. With SQL injection though, except the situation Corneliu described with dynamically generated queries and other edge cases, you can almost always parameterize your SQL and be done with it. As a bonus, you get what I think is more readable code. On 1 September 2010 22:27, Martin Hungerford <[email protected]> wrote: > Corneliu, > > I currently work as a Uni and we recently had an attempted SQL injection > attack show up in the logs. It was the first I have seen in reality and we > all exclaimed over the log trace. Thanks for the application, we’ll give it > a go J > > > > Martin > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Corneliu I. Tusnea > > Sent: Wednesday, 1 September 2010 9:47 PM > To: ozDotNet > Subject: Re: [OT] SQL injection attack vectors > > > > Sam, > > > > I do a lot of work in this field and yes, developers without > any knowledge of what SQL Injection (or even XSS) is are the main culprit. > > Even with the current "tools" (.net, asp.net..) SQL Injection and XSS are > very common. I've seen loads of production apps with potential issues but, > as long as "nobody is hurt in some shape or form" nobody bothers to fix > them. > > "Hey, we've never been attacked" is the most common answer. > > But nobody can answer the question: "How do you know you've never been > attacked? Do you keep proper logs, do you have any clue if there isn't > someone out there who has a complete copy of your database without you > knowing it?" > > Just few weeks ago I've managed to do an relatively trivial XSS injection on > a popular .Net CMS system that's been out for ages. You kind of expect in > "good, reputable, solid" systems these type of issues to be ironed out but > heck, no, they are still there. > > > > Now, in the defense of some of these "developers" there are several > scenarios that are actually very hard to code safely even by an experienced > developer with loads of understanding of SQL Injection attacks. > > The best example is a complex search procedure for a website that has to > take different parameters so it's best to build the query based on the input > parameters. > > E.g. Search only some columns, filter by vendor, category, manufacturer, > maybe some checkboxes. Writing such a search is not easy if you want it > optimized and well performing, and this is quite often the Achilles's heel. > > > > Having a SQL Injection in any other scenario is a sign of pure low quality > development. > > > > Regards, > > Corneliu. > > > > PS>> Shameless Plug: I wrote a tool XSSAttack that can simulate a successful > XSS attack on your database. You can then see how your site behaves once the > XSS attack succeeded. Give it a try :) I challenge every one of you that are > developing websites :) > > http://xssattack.codeplex.com/ > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Sep 1, 2010 at 5:35 PM, mike smith <[email protected]> wrote: > > On 1 September 2010 15:06, Craig van Nieuwkerk <[email protected]> wrote: > >> >> I don't see how any legitimate programmer could claim to be unaware of >> such an issue; it's a core concept about how programming works. They >> may as well be confused that comments don't compile. >> > > Of the hundred plus developers I have worked with over the years, most > would stare at you blankly if you mentioned sql injection. Just the > other day I had to go to great lengths to explain it to some pretty > experienced developers. > > > > > > Point them here. > > > > http://xkcd.com/327/ > > > > > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.851 / Virus Database: 271.1.1/3105 - Release Date: 09/01/10 > 04:34:00
