Google Bots Doing SQL Injection Attacks 156
ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
could not care less (Score:5, Informative)
not just "could care less". Sheeesh.
HTTP RFC - Section 9.1 Safe and Idempotent Methods (Score:5, Informative)
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".
Re:How about Yahoo "bots", Bing "bots" ? (Score:5, Informative)
Re:Uhh... (Score:3, Informative)
I whole heartedly agree. Database programming 101: you cannot trust any inputs (user or otherwise). You must assume that any input is malicious and sanitize it as such. Maybe the devs that are researching/complaining about this should consider the target as the problem not the 12,000 different ways to input malicious code.
Re:How about Yahoo "bots", Bing "bots" ? (Score:4, Informative)
Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!
Real people don't have to click that link. Their computers and devices have web browsers that follow links ahead of time to
improve browsing experience. Chrome calls this "Predict network actions to improve page load performance".
But such hits would come from a wide variety of IPs, not from Google.
Re:How about Yahoo "bots", Bing "bots" ? (Score:4, Informative)
No need to use links, either.
Good old <img src="http://your.site.is/dumb?and=has+sql+injection%22;drop table users;--"/> would work just by visiting the site, as would an iframe, whether browser tries to be smart or not.
Re:Uhh... (Score:5, Informative)
Friends don't let friends generate dynamic SQL. Please use prepared statements!
Re:could not care less (Score:4, Informative)
I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have"
THIS, a thousand times this!
I'm not much of a grammar nazi, as I view communication to be the primarry purpose of text and not syntax... but "should of" actively takes chunks out of my brain every time I read it. It honestly makes me feel like I'm trying to talk to a retard, it just makes so little sense.
The worst part is, while currently it's almost exclusively native English speakers who make this mistake (which is pretty odd), soon enough people like me who learnt by practice are going to start using it en masse, and then it'll be here to stay (like "could care less" - another one perpetuated by native speakers, btw).