Stories
Slash Boxes
Comments

SoylentNews is people

SQL Injection Attacks Represent Two-Third of All Web App Attacks

posted by chromas on Saturday June 15 2019, @04:11PM   Printer-friendly
from the ';
dropâ €trou;# dept.

upstart writes for SoyCow4463:

SQL Injection Attacks Represent Two-Third of All Web App Attacks

For its "State of the Internet" report, Akamai analyzed data gathered from users of its Web application firewall technology between November 2017 and March 2019. The exercise shows that SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks. That's up sharply from the 44% of Web application layer attacks that SQLi represented just two years ago.

Local File Inclusion (LFI) attacks, which, like SQLi, are also enabled by a Web application's failure to properly validate user input, accounted for another 24.7% of attacks. Together, SQLi and LFI attacks represented 89.8% of all attacks at the Web application layer over the 17-month period of Akamai's study.

[...] SQL injection errors and cross-site scripting (XSS) errors have topped, or nearly topped, the Open Web Application Security Project's (OWASP) list of top 10 Web vulnerabilities for more than a decade. Just this week, in fact, HackerOne published a report showing XSS errors to be by far the most common security vulnerability in Web apps across organizations. Both XSS and SQLi are well understood, and many researchers have catalogued the dangers associated with them for years.

The fact that so many Web apps still have them reflects the relatively scant attention paid to security in the application development stage, says Andy Ellis, chief security officer at Akamai. "It is not that the developers are making errors," he says. "It is system that we put them into that is dangerous."

[...] Akamai's data[pdf] shows most Web application attacks originate from inside the US and most targets are US-based as well. Of the nearly 4 billion application-layer attacks that Akamai counted over the 17-month period, some 2.7 billion targeted US organizations. Companies in the UK, Germany, Brazil, and India were also relatively heavily targeted. though nowhere nearly as much as US companies.

Original Submission

 
This discussion has been archived. No new comments can be posted.
SQL Injection Attacks Represent Two-Third of All Web App Attacks | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday June 15 2019, @09:22PM (5 children)

    by Anonymous Coward on Saturday June 15 2019, @09:22PM (#856072)

    Even then, there's basic prepared statement in each library.
    I don't understand how people making anything web don't know about it.

  • (Score: 0) by Anonymous Coward on Saturday June 15 2019, @10:46PM (4 children)

    by Anonymous Coward on Saturday June 15 2019, @10:46PM (#856089)

    "Know about it" and "bother to use it" are very different beasts when it it comes to programming.

    • (Score: 2) by Common Joe on Sunday June 16 2019, @03:58AM (3 children)

      by Common Joe (33) <common.joe.0101NO@SPAMgmail.com> on Sunday June 16 2019, @03:58AM (#856151) Journal

      I've had a very tough time being accepted back into the programming world. My skills are still too outdated. Howver, I have a programmer friend who lost his job and in a week's time, he had five interviews lined up. It amazed him that I had trouble finding a job because we were having dinner one night and I was explaining to him how databases worked -- table joins, indexes, really simple stuff. He'd never seen that before. He literally did not know. (Which brings up the question in my mind "How could he possibly defend against a SQL Injection attack?" I don't know and I don't want to know.) It was simply that he had the right buzz words on his resume.

      • (Score: 1, Funny) by Anonymous Coward on Sunday June 16 2019, @06:47AM

        by Anonymous Coward on Sunday June 16 2019, @06:47AM (#856185)

        Don't forget about the 25 years of JavaScript, 35 in Python, 30 in Java, and 15 of Rust.

      • (Score: 0) by Anonymous Coward on Sunday June 16 2019, @04:19PM (1 child)

        by Anonymous Coward on Sunday June 16 2019, @04:19PM (#856273)

        we were having dinner one night and I was explaining to him how databases worked -- table joins, indexes, really simple stuff. He'd never seen that before. He literally did not know.

        Programmers who don't look under the hood - those that just program using a published API or the public methods/functions of a framework - *don't need to know how it works.





        * They should know, and in theory things will always work better if they do know, but if the methods and functions they call are all supposed to handle that stuff they can skate by in most cases.

        • (Score: 2) by Common Joe on Monday June 17 2019, @02:46AM

          by Common Joe (33) <common.joe.0101NO@SPAMgmail.com> on Monday June 17 2019, @02:46AM (#856456) Journal

          This is part of the reason I asked my original question. It seems it wasn't just functions and method calls to APIs, methods, or functions that he was using. It seems he needed to know about tables as well. If he knows about tables, then he also needs to know about joins and indexes and SQL Injection attacks. And if he needs to know this, then a lot of other programmers should also know about that stuff but don't.

          But if I misunderstood something, then please elaborate.