Stories
Slash Boxes
Comments

SoylentNews is people

Injection Attacks: The Least Glamorous Attack is One of the Most Threatening

posted by CoolHand on Wednesday November 08 2017, @05:44PM   Printer-friendly
from the hot-sql-injection dept.

MrPlow writes:

Submitted via IRC for soycow1984

They may not grab the most headlines, but injection attacks are the most common threats targeting organizational networks, according to IBM MSS data.

The facts are clear. According to IBM X-Force analysis of IBM Managed Security Services (MSS) data, injection attacks are the most frequently employed mechanism of attack against organizational networks. In fact, for the period assessed (January 2016 through June 2017), injection attacks made up nearly half — 47 percent — of all attacks. The most common types were operating system command injection (OS CMDi) and SQL injection (SQLi). Injection attacks versus all attacks. Figure 1: Injection attacks versus all attacks (Source: IBM Managed Security Services data).

Attackers take advantage of injection vulnerabilities in operating systems and applications to penetrate critical web servers and access back-end databases. From using malicious webshells to planting cryptocurrency mining tools or malicious PHP scripts, there are many ways in which cybercriminals can use injection attacks to reach their end goal.

Source: https://securityintelligence.com/injection-attacks-the-least-glamorous-attack-is-one-of-the-most-threatening/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Injection Attacks: The Least Glamorous Attack is One of the Most Threatening | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday November 08 2017, @07:09PM

    by Anonymous Coward on Wednesday November 08 2017, @07:09PM (#594201)

    SQL parameterization has been around decades. Various data access libraries that save developers a lot of that mucking around with SQL have been around for at least a decade or so. This shouldn't be happening. So why the heck is raw string concatenated SQL appearing anywhere in anything?

    Because of lazy and because a bunch of folks have no fucking clue about what they are or should be doing.
    After all, there's time allocated in the schedule to fix this quick hack where I concatenate the user's input and then send it straight to the database using an sa/postgres/root/super user, right? Right? I mean, we release software when it's 'done'; not when the schedule says to release it...