Posted on Thursday, November 07 2013 @ 11:56 CET by Thomas De Maesschalck
Security researchers robots some attackers are now abusing Google's web crawler to attack websites via SQL injection. Attackers select a set of websites they want to attack, they construct all their SQL injection URLs and upload these to a webpage they control. When Google's crawler spiders this webpage it will attempt to follow all URLs it comes across so it will appear to the website owner as if Google is the source of the attack. The technique has significant limitations but it makes it much harder to track who is attacking you, while also making it a difficult thing to prevent, because IP banning Google's crawlers is undesirable.
The way it works is devastatingly simple. Imagine that there's a site you want to perform an SQL injection attack on. You construct all your SQL injection URLs for the site, and stick them into a Web page that you control. Google spiders the Web page and attempts to follow all the URLs it comes across. Since each of those URLs is an SQL injection URL, Google's crawlers attempt to perform SQL injection on the victim.
Obviously, this technique has some significant limitations: the attacker can't actually see the response to the SQL injection attacks, which limits his ability to use this technique to probe systems. However, it's also a difficult thing to prevent, because rejecting Google's crawlers is so undesirable. The only solution is to not be vulnerable to SQL injection attacks.
Source: ARS Technica
