Michael Sutton looks at the prevalence of SQL injection vulnerabilities (via Bruce Schneier). He tested 708 different servers and found verbose SQL errors on 80 of them (11.3%) - numbers that are not, as Michael says, surprising but are certainly sobering. [SQL Injection logo]

Michael acknowledges that his method is imperfect, and in fact I think the percentage is actually a lot higher. His test only captures sites that are vulnerable and actually return verbose error messages. I guarantee there are countless others on his list that were actually vulnerable and fail "silently" (i.e., reporting user name not found, but not the words he is testing for).

If you're not familiar with SQL injection, and what can happen as a result, I suggest reading Steve Friedl's wonderful introduction in SQL Injection Attacks by Example. (Image above borrowed from his article).

Oh, Scott Guthrie also had a great post on how to avoid these problems. As you can see, it's not difficult - you just have to be aware and not construct dynamic SQL.


blog comments powered by Disqus