Nobody could have predicted an SQL Injection attack.

Post #343,749 by Another Scott 6/15/11 10:41:58 AM Reply	Nobody could have predicted an SQL Injection attack. http://www.balloon-j...14/the-lulz-boat/ :-/ Cheers, Scott.
Post #343,751 by malraux 6/15/11 11:29:24 AM Reply	Re: Nobody could have predicted an SQL Injection attack. https://www.owasp.or...P_Top_Ten_Project Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,752 by Another Scott 6/15/11 11:39:42 AM 6/15/11 11:44:16 AM Reply	Hmmm.... Thanks for the link. I hope it gets more visibility. I chuckled, though, when I saw this: Users and Adopters The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process (DIACAP). In the commercial market, the Payment Card Industry (PCI) standard has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: A.G. Edwards Bank of Newport Best Software British Telecom Bureau of Alcohol, Tobacco, and Firearms (ATF) Citibank [...] Hmmm. [edit:] TheReg has more - http://www.theregist...site_hack_simple/ (via the OWASP News page) Cheers, Scott. Edited by Another Scott June 15, 2011, 11:44:16 AM EDT Expand All History
Post #343,753 by malraux 6/15/11 11:41:30 AM Reply	There is a difference... ... between management thinking they are using it, and the developers actually living it. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,754 by Another Scott 6/15/11 11:47:08 AM Reply	Could be they only used it in some places. E.g. they might use it for CC transactions but not on the web interface for personal retail banking. As others have commented, they're no doubt much more careful in their CEO's personnel records and the CDS business security than they apparently are in dealing with their lowly customers' info... :-/ Cheers, Scott.
Post #343,755 by jay 6/15/11 1:12:44 PM Reply	Calling this SQL injection implies too much skill SQL injection might be somewhat of an equivalent, but it isn't really the same thing. SQL injection is a much more sophisticated attack that requires a fair amount of computer knowledge, something only an actual programmer could create. This URL hack is something any reasonably bright person might come up with. Jay
Post #343,767 by malraux 6/15/11 3:35:44 PM Reply	No, they did that too. There was a SQL injection attack as well as the URL substitution one. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,794 by Steve Lowe 6/16/11 2:09:17 AM Reply	Hogwash (responding to the subject line.) Anyone running a webapp that has any sort of credit card data with any sort of SQL backend MUST be actively checking for SQL injection opportunities (among many other things). Like Greg said, some PCI auditor's ass is on the line for this (among others, certainly.). And, the rest of us who are doing it right will pay for this in increased scrutiny by those who rarely understand the technologies they're auditing and new rules in scanning databases, and new PCI requirements. IOW, cost of compliance in the credit card arena just went up a few ticks.
Post #343,813 by Another Scott 6/16/11 10:15:02 AM Reply	Understood. The Subject was a bit of snark on my part, a takeoff on Condi's famous line - http://www.salon.com...2005/09/14/planes Cheers, Scott.
Post #343,838 by Steve Lowe 6/16/11 8:34:22 PM Reply	:)

Welcome to IWETHEY!