nCircle The Lens Blog

Web application security isn't just about web applications

More Than 500,000 Websites Hit By New Form Of SQL Injection In '08

It's new because it's automated and run from botnets. I'm not sure that really counts as a "new form of SQL injection," but I won't quibble. This paragraph isn't about SQL injection, but is noteworthy:

"While the initial attack vector was SQL Injection, the overall attack more closely resembles a Cross-Site Scripting methodology as the end goal of the attack was to have malicious JavaScript execute within victims' browsers," the WHID reports says. "The JavaScript calls up remote malicious code that attempts to exploit various known browser flaws to install Trojans and Keyloggers in order to steal login credentials to other web applications."

The point that's interesting here is that browser vulnerabilities are the real target. We may be talking about the rise in web application attacks, but they're actually targeted at the users of those web applications. We may all scoff a little at Microsoft's monthly IE roll-up bulletin, but perhaps we should scoff just a little less next month.

Posted by Tim Erlin on February 27, 2009 1:11 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/318

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):


About

This page contains a single entry from the blog posted on February 27, 2009 1:11 PM.

The previous post in this blog was PCI Compliance Podcast at Practical eCommerce.

The next post in this blog is Study finds you have a problem our product solves!.

Many more can be found on the main index page or by looking through the archives.



Bio

Blog: The Lens
Author: Tim Erlin

Tim Erlin, CISSP, is a Principal Product Manager at nCircle, responsible for vulnerability management and configuration auditing. In his nearly 10 year tenure at nCircle, he has also held the positions of Senior Sales Engineer and QA Engineer. His career in information technology began with systems and network administration.


Search

   


Recent Posts

   

Archives

   

Categories

  • Blog
  • Information Security Market
  • Regulations and Compliance
  • Vulnerability Research