Jul. 21, 2008 - Alert for Web Programmers and Managers: SQL Injection

This is for my readers who are, or who manage, web application programmers. I sent this update to my security assessment clients about a month ago but the urgency has continued to increase as attack rates are rising ...

I've been seeing a lot more injection attacks on industry sites - some automated, some manual. If you have web applications and haven't been testing for SQL and XSS injections - get on that PRONTO!

Even if you think your input validation is under control be careful - attackers are getting a LOT sneakier:

* Using HTML entities instead of the characters, encodings like UTF-8, long UTF-8, UTF-7, Unicode, US-ASCII and even HEX. Watch out for 'declare' and 'cast' in inputs ... not your friend.

* Not using special characters - leaving off the single quotes, using 'fromCharCode' to create them, or even use a grave accents as a replacement.

* Messing up regular expressions looking for SCRIPT by embedding tabs, spaces, carriage returns - or encoded versions of the same!

* Sending you naughty content not just through traditional inputs and URL strings, but through cookie manipulation.

* Leveraging your platform - such as SSI (if installed), renaming JS files to image extensions for upload, even using your application platform to create the script.

* Going beyond JavaScript and using VBscript.

* Injecting into image tags - including dynsrc and lowsrc attributes, in BODY onloads, in CSS calls, in titles, meta tags, iframes, TD backgrounds, DIV styles, BASE tags, OBJECT tags, XML, Flash actionscript and more!
 

I think my "favorite" workaround for XSS validation is where the validator gets rid of script tags in inputs but doesn't search recursively, so the hacker inputs [SCR[SCRIPT]IPT]" it gets rid of the middle "[SCRIPT]", leaving.... [SCRIPT]!

And they're using every combination of the above that you can think of!!!
 
Are you validating for all of these situations?

Be careful out there!