During our analysis of “Hack This Site”, I noticed the header ad for the “NETSPARKER”– a tool that would scan your website searching for SQL injection vulnerabilities. I just happened to learn what this particular hack was last night while browsing Kevin (security consultant and hacker icon) Mitnick’s twitter timeline:
— Kevin Mitnick (@kevinmitnick) November 18, 2013
I did not get what was so funny at all, but it seemed to make all these hackers lol– I had to figure out what was going on!
Search bars, login portals… entry fields on a website can be a vulnerable point of access hackers may attempt to exploit. As I understand it, (and I could very well be wrong, so if any of y’all have a better explanation please jump in!)SQL is a programming language utilized for database management. A hacker may enter interjection commands into the entry field, such as the ones seen healthcare.gov’s search autocomplete above, in order to gain access to the database. These interjections seem to be a fairly simple hack, as well as fairly simple to secure against. I found an article on hackthissite.org discussing sql interjections– learning how to hack a site is a good way to understand how to make your own site more secure. Yet, the site does encourage curiosity, as well as ‘sticking it to the man’. Maybe some trainees from the hacker underground were looking for vulns??
This XKCD also humourously references an SQLI attack (with explanation!): http://www.explainxkcd.com/wiki/index.php?title=327:_Exploits_of_a_Mom