There's a fascinating demo and supporting tool to be shown and released at Blackhat in Amsterdam upcoming (http://tinyurl.com/djad82). The researcher is showing techniques to use SQL injection (typically used to get to inappropriate/inaccessible database contents) to "take over" the SQL server, and from there, to upload arbitrary privileged code onto the server, effectively allowing complete server takeover.
Gad zooks. The researcher says this is enabled by taking advantage of default settings in the SQL server, combined with SQL and OS code that have flaws enabling buffer overflow attacks (don't understand those yet? Try here: http://en.wikipedia.org/wiki/Buffer_overflow).
A week ago I presented a webinar on "Application Security: A 360 Degree View" (which you should be able to find/watch here: http://www.arxan.com), and the focus was on the need for comprehensive security practices throughout the software development lifecycle.
So what's the final word from Mr. BlackHat researcher (Bernardo Guimaraes)? "I think that the attacks described are realistic threats when the Web application does not follow a proper security development life cycle and the database server is used with default configurations in place or is badly configured."
Ding dong! As Pogo said oh so long ago, "we have met the enemy, and they are us...".
skip to main |
skip to sidebar
Discussion on the latest application security developments and issues, including piracy, code protection, application hardening and cybersecurity.
