Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Google Security

Google Bots Doing SQL Injection Attacks 156 156

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
This discussion has been archived. No new comments can be posted.

Google Bots Doing SQL Injection Attacks

Comments Filter:
  • by ChaseTec (447725) <chase@osdev.org> on Tuesday November 05, 2013 @08:38PM (#45341363) Homepage

    This is Slashdot. What do we know about GET HEAD methods?

    I was going to say that they return Futurama quotes but then I checked and they are gone. When did that happen?

  • Skype too (Score:5, Interesting)

    by gmuslera (3436) on Tuesday November 05, 2013 @08:52PM (#45341463) Homepage Journal
    If Microsoft follows links shown in "private" skype conversations [slashdot.org] (and probably several NSA programs too) they could be used to attack sites this way. Could be pretty ironic to have government sites with their DBs wiped from a SQL attack coming from an NSA server.
  • by ghn (2469034) on Tuesday November 05, 2013 @10:07PM (#45341891)

    The point is not that you can attack lousy website using GET requests. The idea is that HTTP firewalls shoud not blatlantly white-list google bots and other website crawlers in the sake of SEO optimization, because google bot will follow malicious links from other website..

    So lets say you have a filter with rules that prevent common SQL injections in GET requests parameters, this is a weak security practice but can be useful to mitigate some 0-day attacks on vulnerable scripts. This protection can be by-passed IF you white-listed google bot.

  • by sootman (158191) on Tuesday November 05, 2013 @11:40PM (#45342363) Homepage Journal

    It's probably laziness, but it could also be a shortened version of "I could care less, but I'd have to try."

    "Sure as hell" and "sure as shit" have no meaning either, right? How sure is hell, or shit? Those are shortened versions of "as sure as hell is hot" and "as sure as shit stinks". Language happens.

    I'm more concerned with errors on non-idiomatic speech, like "should of" and "could of" instead of "should have" and "could have", "try and" instead of "try to", and #1 on my list, "literally" meaning "figuratively".

    After we sort that out, we can come to an agreement on split infinitives, the Harvard comma, and people whether punctuation that isn't part of a quote should be inside quotation marks or out. :-)

  • by sootman (158191) on Tuesday November 05, 2013 @11:52PM (#45342419) Homepage Journal

    When I first started doing web apps, I made a basic demo of a contacts app and used links for the add, edit, and delete functions. One day I noticed all the data was gone. I figured someone had deleted it all for fun so I went in to restore from a backup and decided to look at the logs and see who it was. It was googlebot -- it had come walking through, dutifully clicking on every "delete" and "are you sure?" link until the content was gone.

    (I knew about when to use GET versus POST -- it was just easier to show what was happening when you could mouse over the links and see the actions.)

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...