Activity have received confirmation from Buying Solutions that their entry on the ICT Consultancy Framework Agreement for IT Security Consultancy has been extended to 31st July 2009. The Framework was originally due to expire at the beginning of May.

Activity Consultant Authors Book on SQL Injection

Activity have assessed many web applications ranging from very simple applications to sophisticated and technically complex ones such as dynamic Internet and Intranet portals, e-commerce sites and partner extranets and HTTP-delivered enterprise applications such as document management systems and ERP applications. A vulnerability that is often discovered to be resident in many of the applications assessed is SQL injection.

SQL injection is one of the most devastating vulnerabilities to impact a business, as it can lead to exposure of all of the sensitive information stored in an application’s database, including information such as usernames, passwords, names, addresses, phone numbers, and credit card details. SQL injection vulnerabilities can often also be leveraged by an attacker to take control of the underlying operating system of the database server, allowing the attacker to use the system as a stepping stone into a target network. The vulnerability was first publicly reported in 1998.

Dave Hartley (Activity’s Crest Certified Consultant and lead Application Tester) authored a tool (Bobcat) in 2005 to aid a security consultant in taking full advantage of SQL injection vulnerabilities and automating the process of exploitation. The purpose of the tool was initially to demonstrate to clients how simply and easily this vulnerability could be exploited by an attacker with very limited skill or expertise to devastating effect. The public version of the tool was released on 5th February 2006 to aid other security practitioners in their ethical application assessments in the hope that its use would help ensure the vulnerability would be eradicated from web applications once and for all. Sadly the situation has not improved all that much and Activity continues to find SQL injection and other code injection flaws in many of the applications that we assess.

Starting in early 2008, hundreds of thousands of web sites were compromised by means of an automated SQL injection attack. A tool was used to search for potentially vulnerable applications on the Internet, and when a vulnerable site was found the tool automatically exploited them. Many web applications were compromised so that their web pages were embedded with a malicious script that would install malware onto the computers of the users using the application or visiting the web site. It was a very effective attack. Significant sites such as ones operated by government agencies, the United Nations, and major corporations were compromised and infected by this mass attack. This attack and Activity’s own experiences demonstrate that SQL injection vulnerabilities are just as prevalent in applications today as they were in 1998, over 10 years ago!

SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help. This situation prompted Dave Hartley (Activity’s Crest Certified Consultant and lead Application Tester) and a number of security practitioners and like minded individuals to author a book devoted exclusively to this long-established but recently growing threat.

The book is called “SQL Injection Attacks and Defense“. The author list is as follows: Justin Clarke, Dave Hartley, Joe Hemler, Alexander Kornbrust, Rodrigo Marcos, Haroon Meer, Gary Oleary-Steele, Alberto Revelli, Marco Slaviero and Dafydd Stuttard.

SQL Injection Attacks and Defense is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack and provides a complete understanding of SQL injection, from the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures.

SQL Injection Attacks and Defense will be available from all good book stores in May/June 2009.