This is known as input validation, Sima says. Following this procedure would eliminate about 80 percent of vulnerabilities, he estimates. Attackers would still be able to inject SQL into a database, for example, but their commands would go unheeded.
“From a web development perspective, I tell people there's only one thing they need to do,” he says. “Make that the number one priority.”
If done properly, input validation could prevent hackers from being able to add a few extra characters to a URL string or web form, which could allow them to extract database assets or insert IFRAME tags – HTML code inserted into a legitimate web page – to secretly reroute victims to malicious sites.
Traditional network defense solutions do not work when it comes to the web, Grossman adds.
“You can't firewall off a website, so firewalls aren't going to do anything good, and all the exploits are going to be unique because all the websites have custom code,” he says. “Standard intrusion detection signatures won't catch these types of attacks.”
Many sites are forced to go offline as a result of attacks. As a short-term fix, Grossman suggests trying to fix the broken code. But if that fails, companies should consider investing in a web application firewall.
“You just can't go magically back and fix every line of code that has a problem with it,” he says. “It would just take too much time.”
Cross-site scripting, or XSS – which involves malware writers running malicious scripts in an unknowing victim's web browser to steal cookies or to launch a phishing attack – is the most common web vulnerability. XSS are attacks on the client, with a trusted website unintentionally acting as a conduit.
SQL injections, on the other hand, involve attacks on the server to gain access to the database. They are far and away the most exploited web vulnerability. If XSS flaws made news in 2007, then SQL injections clearly have the lockdown on 2008.
According to a July report from ScanSafe, a San Mateo, Calif.-based web security firm, SQL injection attacks have spiked 212 percent from January to June of this year. In June alone, SQL injection made up 76 percent of all compromised sites.
For years, these attacks have been used to extract database contents – some of the biggest reported identity theft heists have been caused by SQL injection – but most recently they have been leveraged to insert malicious content into websites, with the hope of infecting users' machines.
Modifying databases
Mary Landesman, senior security researcher at ScanSafe, says that since about October, attackers have leveraged publicly available tools to search Google for websites vulnerable to SQL injection and then launched attacks. Since then, estimates place the number of compromised pages at upward of two million.
These vulnerabilities commonly lie in sites that use Microsoft's ASP (Active Server Pages) to display information stored in the SQL Server database, she says. Because attackers are able to modify the database, they are able to modify what appears on the web pages.
“The coding choices that the developer makes dictate how that SQL Server is going to handle queries,” Landesman says. “If they haven't given context to the queries that the database is going to receive, the database could act on the query as if it's a command.”
In most cases, the attackers place JavaScript code into the database, which creates an IFRAME to silently call in the actual malicious payload from another site, WhiteHat's Grossman says. Machines that are vulnerable to a particular flaw, usually a browser vulnerability, can be infected with malware, such as a password-stealing trojan or botnet-building backdoor.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
