Saturday, April 2, 2011

SQL Injection and Cross-Site Scripting (XSS) are Hot

Custom and automated attacks against web sites continue as vendors and developers still have not gotten the hang of secure coding techniques.

In one case, an automated attack has infected more than 600,000 sites in about two days.

The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.

Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.

The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.

While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.

Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:
  1. Lizamoon
  2. Alisa-carter
  3. Alexblane