According to this report from HP, more than half of the Web apps they tested contained SQL Injection and Cross-Site Scripting flaws. Now, neither of these exploits is new. What is news is how both of these chestnuts still keep hackers plenty busy.
The report (which our colleague Dan Rowinski has written about here) has lots of other good information in it, but what caught my eye is this timeline (click to enlarge) showing how long SQL Injection has been with us, almost as long as the Web as been around. It still tops the list of Web app exploits by OWASP here.
SQL Injection was first mentioned by Rain.Forest.Puppy in Phrack magazine back in 1998, when s/he cautioned readers “don’t assume [any] user’s input is ok for SQL queries.” Shortly thereafter, the popular tech comic strip xkcd came out with its take on SQL Injection and since then “little bobby tables” has been the popular name for this attack.
Have we learned anything in the 13-some years since then? Not as much as we should. Many of the spectacular exploits this year by Anonymous and LulzSec were SQL exploits, and then sites run by security specialists such as Barracuda Networks certainly should have known better. It is time to stamp out this scourge once and for all. Let’s not have another year go by with new exploits.
