• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
    • Getting the Real Work Done in Cybersecurity
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
  • Hosts
  • Company
    • About
    • Careers
    • Contact

Application Security/ Articles/ Configuration Management

Mass SQL injection attacks… due to a config issue??

Paul Asadoorian insecure configuration, sql injection October 26, 2011

Reading this article was an exercise in frustration. Mass SQL Injection Attack Hits 1 Million Sites. The sum of it is that over a million ASP.Net websites were written and put online after someone had deliberately disabled input validation. This isn’t an insecure default. Folks turned off the security feature on purpose!
I’ve worked on a lot of software projects and can picture what probably happened all too well. Someone was working on some piece of the web application and ran into a validation error when testing the site. Maybe they had a deadline coming up, or just gave up figuring the problem out. Hopefully it wasn’t a case where they just didn’t care. The end result was rather than figure out what triggered the issue and work through it, someone brought up the idea of turning off the validation.
It was a small change. Just flip this:
<%@ Language="C#" ValidateRequest="true" %>
to this:
<%@ Language="C#" ValidateRequest="false" %>
easybutton.jpg
Hey it works! At least until they got owned. Then it was lots of stress, work and fear of unemployment.
This not a problem limited only to ASP.Net developers. Think back and remember the times that a firewall rule was set to default permit because someone was in a hurry. Or the time that someone got frustrated figuring out file system permissions and gave the Everyone group Full Control to a directory. Or worse, set that daemon to run as root. It happens and it’s all too tempting while in full firefighting mode or coming up on a deadline. But is it really worth it? Or do we find out later that the Easy Button really was the wrong one?
wrongbutton_edit.jpg
Take some time and save yourself or co-workers the grief. Resist the urge to push the Easy Button and don’t give an attacker an easy shot.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

web-application-firewall-comparison-696x423

Application Security /

Building a More Secure AppDev Process

uptrend line arrows with bar chart in stock market on blue color background

Articles /

Ransomware Damage Claims Driving Insurance Hikes

Picture1

Configuration Management /

Web App and API Security Needs to Be Modernized: Here’s How

‹ What Does Duqu Actually Do? › A Separate, Highly Secure Internet

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS feed RSS - Posts

Search

Latest Tweets

Tweets by @secweekly
© Security Weekly 2022
Powered by WordPress • Themify WordPress Themes