Google Bots Doing SQL Injection Attacks

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."

could not care less

not just "could care less". Sheeesh.

Re:could not care less

[GodGell]

I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have"

THIS, a thousand times this!
I'm not much of a grammar nazi, as I view communication to be the primarry purpose of text and not syntax... but "should of" actively takes chunks out of my brain every time I read it. It honestly makes me feel like I'm trying to talk to a retard, it just makes so little sense.

The worst part is, while currently it's almost exclusively native English speakers who make this mistake (which is pretty odd), soon enough people like me who learnt by practice are going to start using it en masse, and then it'll be here to stay (like "could care less" - another one perpetuated by native speakers, btw).

HTTP RFC - Section 9.1 Safe and Idempotent Methods

[ChaseTec]

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

Re:How about Yahoo "bots", Bing "bots" ?

[aztracker1]

What's funny is bing has bots that will actually execute and follow through JavaScript requests... last year, I worked to refactor our link structure (normalizing, and reducing variance), this caused a reindex of the site (about 50k urls), however Bing bots went nuts, and because they executed JS, this really affected our unique visitors on our Google Analytics (they don't actually filter bots). It looked like our unique visitors went up by 40% (all from 3 locations, all Microsoft), while our pages per visit plummeted. Bots are necessary, but can be dangerous if you don't account for them.

Re:Uhh...

I whole heartedly agree. Database programming 101: you cannot trust any inputs (user or otherwise). You must assume that any input is malicious and sanitize it as such. Maybe the devs that are researching/complaining about this should consider the target as the problem not the 12,000 different ways to input malicious code.

Re:How about Yahoo "bots", Bing "bots" ?

[icebike]

Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!

Real people don't have to click that link. Their computers and devices have web browsers that follow links ahead of time to
improve browsing experience. Chrome calls this "Predict network actions to improve page load performance".

But such hits would come from a wide variety of IPs, not from Google.

Re:How about Yahoo "bots", Bing "bots" ?

No need to use links, either.

Good old <img src="http://your.site.is/dumb?and=has+sql+injection%22;drop table users;--"/> would work just by visiting the site, as would an iframe, whether browser tries to be smart or not.

Re:Uhh...

[smellotron]

As long as you escape them properly

Friends don't let friends generate dynamic SQL. Please use prepared statements!