Aug 12 2007
I’m a pretty good security professional, but when it comes to hacking, I’m not so great. I understand the tools, I’ve played with a lot of them, but my skills at actually hacking a site aren’t much above the “script kiddy” level. So when I hear that the web site for the United Nations was hacked with a simple SQL injection attack, I’m more than a little surprised and annoyed. This is the sort of attack even I could perform, and one that should have been closed on such a high profile sight a long time ago.
I have to agree with Robert Graham, in that it’s surprising this doesn’t happen more often to sites on the Internet. Given the ingredients of bored computer people, teenage and otherwise, the number of sites vulnerable to a SQL attack and the ease of finding vulnerable sites in Google, you’d think we’d see a lot more sites defaced. The only thing I can think of is that the majority of the sites compromised are so low profile they never capture the attention of media and the blogosphere.
A friend of mine, Dan Kuykendall, recorded a podcast that will walk you through your own attempt at a SQL injection attack. He’s even got a server set up for you to hack, though it’s a bit deceiving in that he’s got a lot of security built into the back end to keep you from getting too evil on the site. Take an hour or so to walk through it and see how easy it is for yourself. And you’ll be wondering why this isn’t happening more often too.