SQLi Is Back With A Small TwIST
Posted by
Brad Wood
Aug 16, 2008 19:40:00 UTC
Well, after a brief hiatus, the SQL Injection attacks have reconvened with a small change. They have modified the capitalization of a couple words in the URL. "DECLARE" has become "DeCLARE", and "EXEC" has become "ExEC". This is obviously to get around people who employed case-sensitive filtering mechanisms.This may be a simple fix if your filtering has stopped working, but to me it is just more proof of how brittle request filtering can be. I kind of wonder if the attackers pay any attention to our blogs and talk lists to better counter our defense.
Here is a graph to show the rate of the attacks on my server. They haven't reached the same level they were last week, but they are definitely there.