Security threats Toolkit

Script kiddies learn grown-up hacking techniques

Dan Ilet ZDNet.co.uk

Published: 13 Jan 2005 15:10 GMT

SQL injection hacking techniques are starting to be used by script kiddies -- inexperienced hackers with limited technical skills -- who are learning from a growing number of online help guides on database hacking.

According to Jason Hart, head of security for Whitehat UK, SQL injections have become common among this group. Until now, because of its complexity, this technique has generally only been associated with serious hackers.

"There's been a huge increase in guides on the Web to take you through this process," said Hart on Thursday.

"Traditionally the SQL injection was a dedicated hacker's technique. People who put up the usual defences, such as firewalls and regular patching, may not be protected against this. The upshot is security is not just at the perimeter, it has to work at the core of the network."

Every Web site with a search facility has a back-end database to answer queries. By entering particular queries against the Web site, the database gives error messages that hackers can use to extract detailed system information, such as version numbers and database structure, from the system.

Because SQL injection attacks work at the application level, most firewalls are unable to prevent them. A more sophisticated security product such as an Intrusion Detection System, which can examine the contents of each packet of data, may give more protection.

Last year Oracle Applications admitted that its products contained flaws that could let hackers commandeer databases by injecting SQL code into query windows.