Read more articles in Web Application Security Insights
|
 |
| September 17, 2008 | | BusinessWeek is the latest victim in a growing trend of SQL Injection attacks | The recent compromise of the BusinessWeek Website adds to the litany of SQL injection attacks that have been going on in 2008. 2008 has seen more Websites infected with malicious code than in previous years and SQL Injection attacks are largely to blame.
In the case of BusinessWeek's Website, a particular portion of the site was targeted. The attackers placed malicious content on a page detailing information about which top companies recruit from various MBA programs. This style of attack is increasingly common, as it relies on a Web application fetching some of its page-level content from a database. By overwriting database tables where this content is fetched, an attacker can modify or add to existing content. Worse, the malicious content can persist on the Web site for a number of days without being detected. Another factor that adds to the seriousness of these attacks is that most production Web applications are not frequently scanned for vulnerability.
Earlier this year a mass SQL injection worm affected more than 70,000 Websites. While the BusinessWeek attack was a targeted attack that went after a certain demographic, the attack method is another example of the rash of SQL injection attacks plaguing 2008. by
Tom Stracener, Senior Security Analyst
Tom@cenzic.com | | |
|
|
