"But these attacks demonstrate that some organisations building web applications are still woefully behind the bad guys."
West believes that the solution to this and similar problems is a software development lifecycle designed to build in security from the ground up.
"Security is a critical attribute during the design, building, testing and deployment phases," he said.
"Software developed without a full-lifecycle approach, and the right tools to support each phase, is destined to suffer security compromises."
The tool behind the attack harnesses Google to search for sites that include a file type and parameter that appear to be susceptible to SQL injection.
The script then uses this list of targets to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the site.
"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem," said West.
"The software engineering and security fields need to provide developers with APIs that make it easier to get security right, and better tools and processes to ensure that the software they build with these APIs is secure."
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=271&w=480&c=1&s=1)
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
