Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bots Doing SQL Injection Attacks

Posted by Soulskill on from the it's-not-a-bug,-it's-a-feature dept.

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."

14 of 156 comments (clear)

  1. could not care less by Anonymous Coward · · Score: 5, Informative

    not just "could care less". Sheeesh.

    1. Re:could not care less by Anonymous Coward · · Score: 5, Funny

      Means the same thing irregardless.

    2. Re:could not care less by sootman · · Score: 4, Interesting

      It's probably laziness, but it could also be a shortened version of "I could care less, but I'd have to try."

      "Sure as hell" and "sure as shit" have no meaning either, right? How sure is hell, or shit? Those are shortened versions of "as sure as hell is hot" and "as sure as shit stinks". Language happens.

      I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have", "try and" instead of "try to", and #1 on my list, "literally" meaning "figuratively".

      After we sort that out, we can come to an agreement on split infinitives, the Harvard comma, and people whether punctuation that isn't part of a quote should be inside quotation marks or out. :-)

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  2. Uhh... by Anonymous Coward · · Score: 5, Insightful

    If you have http GET requests going (effectively) straight into your database, that's YOUR problem, not Google's.

    1. Re:Uhh... by smellotron · · Score: 4, Informative

      As long as you escape them properly

      Friends don't let friends generate dynamic SQL. Please use prepared statements!

  3. How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · · Score: 5, Insightful

    TFA seems to place all the faults on Google.

    Fact is, Google is not the only one who is crawling the Net. Yahoo does it as well as Bing, among others.

    If the Google "bots" can be tricked into doing the "heavy lifting", so can the Yahoo "bots", Bing "bots", and "bots" from other search engines.

    1. Re:How about Yahoo "bots", Bing "bots" ? by _Sharp'r_ · · Score: 5, Insightful

      Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!

      Next you'll be suggesting that you could do that transparently to the user and have their browser re-use their already logged in session on another site to do things with their credentials for you!!!!

      What will they think of next? It's a good thing we have these wonderful stories to explain how this whole web thingy works with all it's links and stuff...

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    2. Re:How about Yahoo "bots", Bing "bots" ? by aztracker1 · · Score: 4, Informative

      What's funny is bing has bots that will actually execute and follow through JavaScript requests... last year, I worked to refactor our link structure (normalizing, and reducing variance), this caused a reindex of the site (about 50k urls), however Bing bots went nuts, and because they executed JS, this really affected our unique visitors on our Google Analytics (they don't actually filter bots). It looked like our unique visitors went up by 40% (all from 3 locations, all Microsoft), while our pages per visit plummeted. Bots are necessary, but can be dangerous if you don't account for them.

      --
      Michael J. Ryan - tracker1.info
    3. Re:How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · · Score: 4, Informative

      No need to use links, either.

      Good old <img src="http://your.site.is/dumb?and=has+sql+injection%22;drop table users;--"/> would work just by visiting the site, as would an iframe, whether browser tries to be smart or not.

  4. HTTP RFC - Section 9.1 Safe and Idempotent Methods by ChaseTec · · Score: 4, Informative

    In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

    --
    My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
  5. Re:HTTP RFC - Section 9.1 Safe and Idempotent Meth by Anonymous Coward · · Score: 5, Funny

    This is Slashdot. What do we know about GET HEAD methods?

  6. Re:HTTP RFC - Section 9.1 Safe and Idempotent Meth by ChaseTec · · Score: 4, Interesting

    This is Slashdot. What do we know about GET HEAD methods?

    I was going to say that they return Futurama quotes but then I checked and they are gone. When did that happen?

    --
    My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
  7. Skype too by gmuslera · · Score: 5, Interesting

    If Microsoft follows links shown in "private" skype conversations (and probably several NSA programs too) they could be used to attack sites this way. Could be pretty ironic to have government sites with their DBs wiped from a SQL attack coming from an NSA server.

  8. Did anybody read TFA? by ghn · · Score: 4, Interesting

    The point is not that you can attack lousy website using GET requests. The idea is that HTTP firewalls shoud not blatlantly white-list google bots and other website crawlers in the sake of SEO optimization, because google bot will follow malicious links from other website..

    So lets say you have a filter with rules that prevent common SQL injections in GET requests parameters, this is a weak security practice but can be useful to mitigate some 0-day attacks on vulnerable scripts. This protection can be by-passed IF you white-listed google bot.