Entries tagged with “sql_injection”.
Did you find what you wanted?
Wed 23 Sep 2009
Posted by Slavik under breach, security, SQL injection
Comments Off on RBS WorldPay site got hacked
OK, it looks like this was a test site but nevertheless it makes you wonder.
Leaving web application vulnerable to SQL injection and entire databases out there without protection is a sure way to get yourself hacked. It doesn’t even matter if the site was a test site (I hope it was) but we’ve seen many cases where access to a machine on the company DMZ was followed by getting control of the machine and getting further inside into the company (remember Heartland?).
Tue 14 Aug 2007
Posted by Slavik under security, SQL injection
Comments Off on SQL UNjection
It’s been a while since my last post, but contrary to rumors I am not dead – just traveling a lot (something I promise to blog about soon).
The UN’s website suffered an SQL injection over the weekend by hackers who defaced the homepage. According to this site the SQL injection exploited a database vulnerability, but I don’t think this was a super-sophisticated vulnerability exploit, but rather a simple SQL injection enabled by non-secure coding practices – this sort of SQL injection should be easily avoidable by binding variables, which apparently the UN techies didn’t do.
Shame. I think the Security Council should convene and unequivocally condemn the hackers. That’ll show them.