SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data. According to recent published reports, analysis of the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID.
Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections.

"One of the reasons we're seeing such an increase in SQL injections is actually sort of what we've dubbed the 'industrialization' of hacking," says Brian Contos, chief security strategist for Imperva. "It's this notion of smart SQL injections leveraging things like Google searches, automation through bots, and various other technologies to carry out sophisticated, automated attacks."

SQL injection attacks are generally carried out by typing malformed SQL commands into front-end Web application input boxes that are tied to database accounts in order to trick the database into offering more access to information than the developer intended.

Part of the reason for such a huge rise in SQL injection during the past year to 18 months is the fact that criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems, Contos says. They use the attacks to both steal information from databases and to inject malicious code into these databases as a means to perpetrate further attacks.

The link for this article located at Dark Reading is no longer available.