Is Your Web Site at Risk of Injection?

By Regina Kwon  |  Posted 2002-11-01 Print this article Print

Think your Web site is secure? Think again.

Robbing banks is dangerous and unpredictable, and it requires leaving the house. Hacking, on the other hand, has a high success rate, pays well (extortionists ask for--and get--an average of $160,000 per hack) and can be done in one's pajamas.

"The attacks work because the software most people use has vulnerabilities," says Alan Paller, Director of Research at the SANS Institute, a security watchdog. The first challenge, he says, is simply to find out what those vulnerabilities are. "It's like owning a car, and every week there are new defects. But no one tells you what they are. Instead, you're supposed to somehow divine them."

Sites that use scripts to create pages dynamically are particularly prone to attacks. Because the back-end applications of a dynamic site view the Web server as a "trusted source," seemingly innocent text fields can act as entry points for malicious requests. One such attack, SQL Injection, could lead to a site's entire back-end database being downloaded by a hacker, says Caleb Sima, chief technology officer and co-founder of security vendor SPI Dynamics. "The problem is extremely common," he says.

Sima has provided steps for testing your own Web site for SQL Injection and other vulnerabilities.

As Statistics Editor of Baseline magazine, Regina creates interactive tools, worksheets and project guides for technology managers. Before joining Ziff Davis, she worked as a technical program manager for a database company, where her projects included data management applications in XML, Java, Visual Basic and ASP. Her other experience includes running the new media department at Christie's Inc. and writing and editing for Internet World and PC Magazine. Regina received a B.A. from Yale.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.