SQL injection attacks could open door to more serious exploits

A new breed of SQL injection attacks could give hackers a way to take control of many of the underlying database servers powering websites. According to penetration tester Bernardo Damele Assumpcao Guimaraes, the techniques that he has discovered will work on open-source database engines, MySQL and PostgreSQL, as well as Microsoft SQL Server.

In an interview with The Register, Damele Assumpcao Guimaraes said "I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database." Damele Assumpcao Guimaraes will be sharing more about such attacks at a Black Hat talk later this month, as well as share notes that will help other penetration testers detect this new breed of attacks.

As a whole, experts agree that SQL injection is a problem that affects all too many sites, and needs to be addressed urgently. Jeremiah Grossman, White Hat Security's CTO thinks that the cost of properly remedying flaws in web applications could cost anywhere from $3 billion to $8.5 billion. Damele Assumpcao Guimaraes advises that companies implement proper best practice such as having as few privileged users as possible.

However, considering that many of Damele Assumpcao Guimaraes's attack techniques rely on database flaws that allow privileges restrictions to be circumvented, some fundamental fixes will need to be made to vulnerable databases, in addition to fixing web applications and proper security practices.

For more on this story:
- check out this article at The Register

Related Articles:
Section of Kaspersky website compromised
Foreign attacks hit blogs
Security vulnerability found in MS SQL server 2000
Oracle is buggier than SQL server