Experts question how programmers use SQL injection.

Programmers without security knowledge write SQL Injection code as a function in some web applications, when these applications start to use or distribute to the branches of the online advertising network, users are at security risks.

This encoding method is the key to running applications. This problem is so common that some security vendors, including TippingPoint, disable the SQL Injection Protection filtering function by default when their intrusion defense system (IPS) leaves the factory to avoid application unavailability.

Rohit Dhamankar, DVlabs security research director at TippingPoint, said the company's IPS honeypot systems around the world have found that SQL injection attacks using the SQL Injection function of some Web applications have soared. TippingPoint uses its IPS filter to capture attack attempts and track global threats. It also anonymously tracks how customers configure their IPS.

Sometimes those who write these applications do not realize that they have inadvertently placed SQL injection as a feature in the application. Said Dhamankar. When an advertising company uses a vulnerability, an SQL injection, to distribute reports to all of its companies, this attack occurs.

The SANS Association reported this week that SQL injection and cross-site scripting attacks are The two biggest problems on The Internet. These errors are often the most easily overlooked by the company. The largest data security attack in the history of the United States uses the SQL injection method.

WEB application vulnerabilities in open-source and customized programs account for more than 80% of the detected vulnerabilities, as mentioned in SANS's report. This study subdivided SQL Injection errors, such as "SQL Injection Using select SQL", "SQL injection using string functions", and "SQL injection using Boolean IDs, can be corrected during the software development cycle before a vulnerable application is enabled.

Dhamankar said those online advertisements with no written code had caused the New York Times website visitors to encounter problems. Once the vulnerability is exposed, attackers can poison the ads and redirect the visitors who click on them to malicious websites. Automated scripts on those sites will check the defective browser plug-ins and other unpatched applications, so as to give attackers a foothold to infect the victim's computer.

The New York Times partially uses an ad distribution network. Not long ago, a approved advertisement was displayed normally, but the attacker subsequently replaced it with a malicious advertisement. It popped up a warning window, claiming that the user's computer was infected, click the link to clear the virus.

This problem has become very common, but experts say it is often difficult and expensive to fix SQL Injection errors. Vulnerability scan can detect thousands of SQL Injection errors.

Dhamankar, one of the security experts reporting at SANS meetings, said legal online advertising affiliates and other companies can use IPS or WEB application firewall WAPs to stop such attacks, and let Programmers take responsibility for their error code. Raising awareness and educating them should also be a priority, Dhamankar wrote in an email after the meeting.

"If the Development Department ensures that its employees have passed security programming exercises and courses, it will reduce the occurrence of such events," he wrote. "Security Testing of applications within the company or through a third party is another good way to ensure that web application vulnerabilities can be discovered before they are put into production ."

Rob Lee of Mandiant, a Data Survey expert and SANS society Lecturer, said his research shows that hackers are using phishing attacks and a variety of social engineering skills to trick users into clicking malicious links. However, 1/3 of attacks specifically use SQL Injection for financial institutions and retailers with public websites, he said.

They intrude public websites to gain access to credit card data at the backend. Said Lee. "This is a bit like a burglary, but they are looking for credit card data ."

No silver bullet can protect organizations from attacks, says Ed Skoudis, founder and senior security consultant at InGuardians. Once malicious code is embedded into the website through SQL injection or other means, the victim will then bring the malicious content to the machine in their company, the client software on this machine is not completely patched.

This requires more in-depth defense, Skoudis said. Sensitive data is not stored on the client, and it does not matter whether the end user is infected-security experts cannot fall into this mindset.

"Once a bad guy breaks a client and has a foothold in the target environment, he won't be here," Skoudis said. "After the client is cracked, attackers will launch large-scale attacks against the company ...... Then you can find the internal network server, and then you will be fully attacked.