Video Demostration of a simple, yet effective, SQL Injection Attack

Just came across the video on YouTube that has a very simple demonstration of a SQL injection attack. It demonstrates just how easy it is to get past JavaScript authentication control and how easy it is to inject SQL into a site once you take control of the web form.

Granted with was a .NET site, and this hack would not work in modern versions of ColdFusion (Unless the password was numeric or the developer was using PreserveSingleQuotes()), it is food for thought about how easily sites can be hacked with simple techniques that even the script kiddies can deploy easily.

Comments
Larry Boucher's Gravatar Video shows why validating on the client side only is a very bad idea.
# Posted By Larry Boucher | 8/5/08 10:48 AM
Jason Dean's Gravatar @Larry, yes, it shows that too :)
# Posted By Jason Dean | 8/5/08 10:54 AM
Joshua Cyr's Gravatar Odds that it is fixed now?
# Posted By Joshua Cyr | 8/5/08 12:10 PM
Jason Dean's Gravatar @josh, I'd say pretty good. But you never know. I guess there is only one way to find out ;)
# Posted By Jason Dean | 8/5/08 12:35 PM
Kevin penny's Gravatar Why doesn't he just turn javascript OFF in the browser?

Would have saved him some of this work anyway - (the validation anyway)
# Posted By Kevin penny | 8/6/08 3:26 PM
Jason Dean's Gravatar @Kevin, I think it was more for demonstration purposes. Even if he did not need to for that particular attack, it shows how it is to do it. If he was trying to deploy a more sophisticated attack, he may have also needed to change some "maxlength" values. But you're right, in that case, and in many, disabling JS would probably be enough. You could also use a FF plugin like TamperData to get past maxlength restrictions.
# Posted By Jason Dean | 8/6/08 4:07 PM
Kevin penny's Gravatar thanks for the preso last night - have a great week

happy hacking
# Posted By Kevin penny | 8/7/08 9:52 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner