This post originated from an RSS feed registered with .NET Buzz by Tim Sneath. Original Post: SECSYM: Security Symposium V Feed Title: Tim Sneath's Blog Feed URL: /msdnerror.htm?aspxerrorpath=/tims/Rss.aspx Feed Description: Random mumblings on Microsoft, .NET, and other topics. Latest .NET Buzz Posts Latest .NET Buzz Posts by Tim Sneath Latest Posts From Tim Sneath's Blog

The SQL Server security lead developer demonstrated a black hat tool circulating on the Internet that utilises a SQL injection vulnerability to expose access to the full underlying database server, allowing query of any other table on that system or any linked server for which a web application has access. He demonstrated how a simple ASP.NET page query with a filter textbox could be used to reveal all the credit card details stored in another table in the database.

This kind of application demonstrates how the maturity of attacks is increasing. It's even more important than ever before to lock down the user accounts used and perform threat modelling and penetration testing against SQL injection attacks. This threat is scary and emphasises the importance of everything mentioned today.