Google Bots Doing SQL Injection Attacks

← Back to Stories (view on slashdot.org)

Google Bots Doing SQL Injection Attacks

Posted by Soulskill on Tuesday November 5, 2013 @12:19PM from the it's-not-a-bug,-it's-a-feature dept.

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."

17 of 156 comments (clear)

Min score:

Reason:

Sort:

could not care less by Anonymous Coward · 2013-11-05 12:22 · Score: 5, Informative

not just "could care less". Sheeesh.
1. Re:could not care less by Anonymous Coward · 2013-11-05 12:47 · Score: 5, Funny
  
  Means the same thing irregardless.
2. Re:could not care less by sootman · 2013-11-05 15:40 · Score: 4, Interesting
  
  It's probably laziness, but it could also be a shortened version of "I could care less, but I'd have to try."
  "Sure as hell" and "sure as shit" have no meaning either, right? How sure is hell, or shit? Those are shortened versions of "as sure as hell is hot" and "as sure as shit stinks". Language happens.
  I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have", "try and" instead of "try to", and #1 on my list, "literally" meaning "figuratively".
  After we sort that out, we can come to an agreement on split infinitives, the Harvard comma, and people whether punctuation that isn't part of a quote should be inside quotation marks or out. :-)
  
  --
  Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
3. Re:could not care less by GodGell · 2013-11-05 20:36 · Score: 3, Informative
  
  I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have"
  THIS, a thousand times this!
  I'm not much of a grammar nazi, as I view communication to be the primarry purpose of text and not syntax... but "should of" actively takes chunks out of my brain every time I read it. It honestly makes me feel like I'm trying to talk to a retard, it just makes so little sense.
  The worst part is, while currently it's almost exclusively native English speakers who make this mistake (which is pretty odd), soon enough people like me who learnt by practice are going to start using it en masse, and then it'll be here to stay (like "could care less" - another one perpetuated by native speakers, btw).
  
  --
  [SHOW SOME LENIENCY TOWARDS ... I mean, FUCK BETA] Eat. Survive. Reproduce. GOTO 10
Uhh... by Anonymous Coward · 2013-11-05 12:23 · Score: 5, Insightful

If you have http GET requests going (effectively) straight into your database, that's YOUR problem, not Google's.
1. Re:Uhh... by Anonymous Coward · 2013-11-05 12:49 · Score: 3, Informative
  
  I whole heartedly agree. Database programming 101: you cannot trust any inputs (user or otherwise). You must assume that any input is malicious and sanitize it as such. Maybe the devs that are researching/complaining about this should consider the target as the problem not the 12,000 different ways to input malicious code.
2. Re:Uhh... by smellotron · 2013-11-05 17:21 · Score: 4, Informative
  
  As long as you escape them properly
  
  Friends don't let friends generate dynamic SQL. Please use prepared statements!
How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · 2013-11-05 12:27 · Score: 5, Insightful

TFA seems to place all the faults on Google.
Fact is, Google is not the only one who is crawling the Net. Yahoo does it as well as Bing, among others.
If the Google "bots" can be tricked into doing the "heavy lifting", so can the Yahoo "bots", Bing "bots", and "bots" from other search engines.
1. Re:How about Yahoo "bots", Bing "bots" ? by _Sharp'r_ · 2013-11-05 12:31 · Score: 5, Insightful
  
  Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!
  Next you'll be suggesting that you could do that transparently to the user and have their browser re-use their already logged in session on another site to do things with their credentials for you!!!!
  What will they think of next? It's a good thing we have these wonderful stories to explain how this whole web thingy works with all it's links and stuff...
  
  --
  The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
2. Re:How about Yahoo "bots", Bing "bots" ? by aztracker1 · 2013-11-05 12:48 · Score: 4, Informative
  
  What's funny is bing has bots that will actually execute and follow through JavaScript requests... last year, I worked to refactor our link structure (normalizing, and reducing variance), this caused a reindex of the site (about 50k urls), however Bing bots went nuts, and because they executed JS, this really affected our unique visitors on our Google Analytics (they don't actually filter bots). It looked like our unique visitors went up by 40% (all from 3 locations, all Microsoft), while our pages per visit plummeted. Bots are necessary, but can be dangerous if you don't account for them.
  
  --
  Michael J. Ryan - tracker1.info
3. Re:How about Yahoo "bots", Bing "bots" ? by icebike · 2013-11-05 13:16 · Score: 3, Informative
  
  Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!
  Real people don't have to click that link. Their computers and devices have web browsers that follow links ahead of time to
  improve browsing experience. Chrome calls this "Predict network actions to improve page load performance".
  But such hits would come from a wide variety of IPs, not from Google.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · 2013-11-05 14:17 · Score: 4, Informative
  
  No need to use links, either.
  Good old <img src="http://your.site.is/dumb?and=has+sql+injection%22;drop table users;--"/> would work just by visiting the site, as would an iframe, whether browser tries to be smart or not.
HTTP RFC - Section 9.1 Safe and Idempotent Methods by ChaseTec · 2013-11-05 12:27 · Score: 4, Informative

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

--
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
Re:HTTP RFC - Section 9.1 Safe and Idempotent Meth by Anonymous Coward · 2013-11-05 12:30 · Score: 5, Funny

This is Slashdot. What do we know about GET HEAD methods?
Re:HTTP RFC - Section 9.1 Safe and Idempotent Meth by ChaseTec · 2013-11-05 12:38 · Score: 4, Interesting

This is Slashdot. What do we know about GET HEAD methods?
I was going to say that they return Futurama quotes but then I checked and they are gone. When did that happen?

--
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
Skype too by gmuslera · 2013-11-05 12:52 · Score: 5, Interesting

If Microsoft follows links shown in "private" skype conversations (and probably several NSA programs too) they could be used to attack sites this way. Could be pretty ironic to have government sites with their DBs wiped from a SQL attack coming from an NSA server.
Did anybody read TFA? by ghn · 2013-11-05 14:07 · Score: 4, Interesting

The point is not that you can attack lousy website using GET requests. The idea is that HTTP firewalls shoud not blatlantly white-list google bots and other website crawlers in the sake of SEO optimization, because google bot will follow malicious links from other website..
So lets say you have a filter with rules that prevent common SQL injections in GET requests parameters, this is a weak security practice but can be useful to mitigate some 0-day attacks on vulnerable scripts. This protection can be by-passed IF you white-listed google bot.