Is Your Web Site at Risk of Injection?

By Regina Kwon  |  Posted 2002-11-01

Robbing banks is dangerous and unpredictable, and it requires leaving the house. Hacking, on the other hand, has a high success rate, pays well (extortionists ask for--and get--an average of $160,000 per hack) and can be done in one's pajamas.

"The attacks work because the software most people use has vulnerabilities," says Alan Paller, Director of Research at the SANS Institute, a security watchdog. The first challenge, he says, is simply to find out what those vulnerabilities are. "It's like owning a car, and every week there are new defects. But no one tells you what they are. Instead, you're supposed to somehow divine them."

Sites that use scripts to create pages dynamically are particularly prone to attacks. Because the back-end applications of a dynamic site view the Web server as a "trusted source," seemingly innocent text fields can act as entry points for malicious requests. One such attack, SQL Injection, could lead to a site's entire back-end database being downloaded by a hacker, says Caleb Sima, chief technology officer and co-founder of security vendor SPI Dynamics. "The problem is extremely common," he says.

Sima has provided steps for testing your own Web site for SQL Injection and other vulnerabilities.