Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Wednesday November 08 2017, @05:44PM   Printer-friendly
from the hot-sql-injection dept.

Submitted via IRC for soycow1984

They may not grab the most headlines, but injection attacks are the most common threats targeting organizational networks, according to IBM MSS data.

The facts are clear. According to IBM X-Force analysis of IBM Managed Security Services (MSS) data, injection attacks are the most frequently employed mechanism of attack against organizational networks. In fact, for the period assessed (January 2016 through June 2017), injection attacks made up nearly half — 47 percent — of all attacks. The most common types were operating system command injection (OS CMDi) and SQL injection (SQLi). Injection attacks versus all attacks. Figure 1: Injection attacks versus all attacks (Source: IBM Managed Security Services data).

Attackers take advantage of injection vulnerabilities in operating systems and applications to penetrate critical web servers and access back-end databases. From using malicious webshells to planting cryptocurrency mining tools or malicious PHP scripts, there are many ways in which cybercriminals can use injection attacks to reach their end goal.

Source: https://securityintelligence.com/injection-attacks-the-least-glamorous-attack-is-one-of-the-most-threatening/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday November 08 2017, @06:53PM (14 children)

    by Anonymous Coward on Wednesday November 08 2017, @06:53PM (#594191)

    #include <sstream>
    int main(int argc; char** argv)
    {
        // what could go wrong, why would anyone not enter anything valid?
        // Why would they do that? I'm sure they'll never do such a thing...
        // Also, you should run this app as root
        std::stringstream ss; // because I'm lazy and I wanted something quick
        for (int n = 1; n < argc; n++)
        {
            ss << (n > 1 ? " " : "") << argv[n];
        }
        system(ss.str().c_str());
    }

    // Bobby Tables, where art though...
    string query = "select c1 from t1 where c2=" + user_input_string;

    1. Do not trust anything entered by the user
    2. Do NOT trust anything entered by the user
    3. Parameterize where you can

    If you are still not parameterizing your queries, you should be fired on the spot! Preferably, at...fired at!

    P.S.: There seems to be a bug in the ecode format handling. If you put a newline between the } and the call to system(), then it does not keep the fixed-width font for the call to system()

  • (Score: 0) by Anonymous Coward on Wednesday November 08 2017, @06:58PM

    by Anonymous Coward on Wednesday November 08 2017, @06:58PM (#594193)

    See PS above

    Like such:

    #include <sstream>
    int main(int argc; char** argv)
    {
        // what could go wrong, why would anyone not enter anything valid?
        // Why would they do that? I'm sure they'll never do such a thing...
        // Also, you should run this app as root
        std::stringstream ss; // because I'm lazy and I wanted something quick
        for (int n = 1; n < argc; n++)
        {
            ss << (n > 1 ? " " : "") << argv[n];
        }

        system(ss.str().c_str());
    }

  • (Score: 0) by Anonymous Coward on Wednesday November 08 2017, @07:02PM (2 children)

    by Anonymous Coward on Wednesday November 08 2017, @07:02PM (#594197)

    Your first mistake was using C++.
    Your second mistake was not using C.
    Your third mistake was using C\C++.
    Your forth mistake was not using Go.

    If you agree with this you're already using Go. If you think something is wrong here then pointer asthmatics and GOTO statements aren't for you. Please use Go.

    Either way, please use Go.

    Yours,
    Users and programmers alike.

    • (Score: 0) by Anonymous Coward on Wednesday November 08 2017, @07:06PM

      by Anonymous Coward on Wednesday November 08 2017, @07:06PM (#594199)

      Ah yes, the tried and true "there is only one programming language for any job"

      And to you, my friend, please go...

    • (Score: 1, Funny) by Anonymous Coward on Wednesday November 08 2017, @07:37PM

      by Anonymous Coward on Wednesday November 08 2017, @07:37PM (#594211)

      "Your FORTH mistake was not using Go."

      I see what you did there.

  • (Score: 3, Insightful) by Justin Case on Wednesday November 08 2017, @07:08PM (7 children)

    by Justin Case (4239) on Wednesday November 08 2017, @07:08PM (#594200) Journal

    Do NOT trust anything entered by the user

    What is this "trust" of which you speak?

    I just came from a meeting where the SJWs and diversity hires argued for hours over what font we should use, and the updated color scheme, because they wanted to look like they were contributing something to the project but they have null clue.

    Now I'm about to create the "webapp" with my whizbang drag-and-drop thingie that I downloaded from a dodgy website. Where in all this is there anything about trusting users?

    Signed, everyone pretending to be a developer.

    • (Score: 3, Informative) by Anonymous Coward on Wednesday November 08 2017, @07:29PM (6 children)

      by Anonymous Coward on Wednesday November 08 2017, @07:29PM (#594209)

      There is an intriguing phenomenon that SN has made pretty clear. Conservative and Libertarian users here tend to be the most arrogant and superior blowhards around, which is funny since they're the ones that get so pissed about "elitist coastal liberals".

      Then there is the fact that outward appearances are actually more important for a business than the working internals. We can all hate it, think its stupid, etc. but it comes down to having users actually USE the product. For that you need it to be either pretty and easy to use, or you have a corner on the market and users will suffer through whatever you throw at them since the functionality is worth it.

      Signed, everyone tired of obnoxious coders

      • (Score: 2, Funny) by Anonymous Coward on Wednesday November 08 2017, @07:44PM (3 children)

        by Anonymous Coward on Wednesday November 08 2017, @07:44PM (#594217)

        "Then there is the fact that outward appearances are actually more important for a business than the working internals."

        What?

        Really?

        HOLY BRANDING, BATMAN!

        OK, here's my new business plan. I'm glad you folks are sitting down, cause this one's gonna blow your balls right off.

        Cardboard box. Got it? Follow the vision here. Deluxe, embossed printing, perfectly proportioned cardboard box.

        Nothing inside.

        Sell them for TEN MILLION BUCKS each. Nobody cares about the interior.

        Where's my money, bitches?

        • (Score: 3, Informative) by Thexalon on Wednesday November 08 2017, @09:41PM

          by Thexalon (636) on Wednesday November 08 2017, @09:41PM (#594252)

          Been done already: Remember the "I Am Rich [wikipedia.org]" phone app that did absolutely nothing but demonstrate that somebody could pay a grand for an app that does nothing?

          --
          The only thing that stops a bad guy with a compiler is a good guy with a compiler.
        • (Score: 0) by Anonymous Coward on Thursday November 09 2017, @03:53PM

          by Anonymous Coward on Thursday November 09 2017, @03:53PM (#594656)
        • (Score: 1, Funny) by Anonymous Coward on Thursday November 09 2017, @05:36PM

          by Anonymous Coward on Thursday November 09 2017, @05:36PM (#594722)

          "Where's my money, bitches?"

          Apple's got it. BTW, Apple patented the business model of selling empty, shiny cardboard boxes.

      • (Score: 2) by DannyB on Wednesday November 08 2017, @07:48PM (1 child)

        by DannyB (5839) Subscriber Badge on Wednesday November 08 2017, @07:48PM (#594221) Journal

        there is the fact that outward appearances are actually more important for a business than the working internals.

        A recipe for not being in business very long.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2) by bob_super on Wednesday November 08 2017, @07:59PM

          by bob_super (1357) on Wednesday November 08 2017, @07:59PM (#594225)

          "Until next quarter is enough to sell my stock" - management.

  • (Score: 3, Insightful) by bob_super on Wednesday November 08 2017, @08:06PM

    by bob_super (1357) on Wednesday November 08 2017, @08:06PM (#594228)

    > Do not trust anything entered by the user

    Sanitize!
    Let no one else's strings evade your eyes!
    Remember why the good lord made your eyes.
    Sanitize
    Sanitize

    (with apologies to Tom Lehrer)

  • (Score: 0) by Anonymous Coward on Thursday November 09 2017, @08:42AM

    by Anonymous Coward on Thursday November 09 2017, @08:42AM (#594525)

    I'd go as far as to say that if trusting or not trusting something anything entered by the user is even relevant, you are doing it wrong.

    Thus your first and second point become moot.

    The rule should be "never mix code and data". Your third point is a less general form of this.