1

I was wondering whether SQL injection is still a thing or if it is mainly extinct due to the fact that I don't hear about corporations being hit by this vulnerability, And the last time I heard an exploitation was a while ago!

And also currently what are the most popular methods of website attacks.

Mattz Manz
  • 113
  • 1
  • 5
  • 1
    Injection is number one at OWASP TOP 10 list, so I believe it serious threat. – user902383 Sep 03 '18 at 16:39
  • 2
    Related : https://security.stackexchange.com/questions/128412/sql-injection-is-17-years-old-why-is-it-still-around – Xavier59 Sep 03 '18 at 16:44
  • 1
    If you just go to StackOverflow and see some questions about SQL you will often ample examples of code not using prepared statements and blatantly being exposed to injections... The fact that you do not hear it in the news so much anymore is not that it does not happen anymore... and the contrary I would say it is happening so often that people stop writing about it; it is just background noise. – Patrick Mevzek Sep 03 '18 at 23:20
  • I really wish it wasn't a thing anymore, but it's still extremely common. A lot of projects I've encountered in my career, open source or proprietary, were, and sometimes still are, vulnerable. There are dozens of solutions to it, but programmers are either too lazy, too incompetent or both to actually use them. The second most common vulnerability is XSS, which is also easy to avoid, and still commonplace, because of the same reasons. In the end, a lot of programmers don't know what they are doing, but keep doing it anyways. – Morfildur Sep 04 '18 at 13:52

3 Answers3

4

Still a threat? Of course! It's one of the most exploited vulnerabilities out there! Just take a look on the SQL Injection Wall of Shame and see for yourself.

I don't think SQL Injection will ever become extinct. It arises from the fact that humans are writing programs, and humans are not perfect. And as long as we write code, with the deadline arriving at the horizon, we commit mistakes, and let open the door for SQL Injection.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
2

Sql injection is still a thing and very effective. On new websites it's hard to find one but you can easily find it in a old website.

You may check OWASP for popular security vulnerabilities.

trizin
  • 149
  • 4
  • Given the number of people every day that post code on stack overflow or codereview that has blatant SQL injection vulnerabilities, I don't think you can make any assumptions about it being harder to find on new websites. My own system here at work is designed to make it hard to write code that is vulnerable to SQLi, but I've still had an experienced developer put in a blatant SQLi vulnerability and not even see it. That's why we have code review. Not everyone does though. Nor does everyone have systems that make it hard to open SQLi vulnerabilities... – Conor Mancone Sep 04 '18 at 13:48
  • 1
    Nowadays, almost everyone who has a interest in web developing knows at least a little about security vulnerabilities.It's not really hard to prevent a sql injection on a page, an indie developer can just make a google search and prevent his/her website from being injected. In the past those developers didn't have many resources about securing their website. Now people have more knowledge. So that makes it harder to find a sql injection on a new website. – trizin Sep 04 '18 at 14:09
2

As @ThoriumBR has already said, developers make mistakes, due to deadlines, or sometimes even lack of the knowledge. Therefore, the software should be tested from the security perspective during the development, before production stage, and even after production. Although there are many frameworks for different programming languages which has mechanism to prevent SQL injection attacks (ex: Microsoft's Entity Framework), SQL injection is still a thing.

You can check out recently found sql injection vulnerabilities on Exploit DB if you search with the keyword 'sql injection'. In the list, you can find out that, even the popular and widely used frameworks and applications have SQL injection vulnerabilities.

Pilfility
  • 452
  • 4
  • 14