Comments on: SQL Injection Blamed for 7-11, Hannaford and Heartland Breaches http://www.veracode.com/blog/2009/08/sql-injection-blamed-for-7-11-hannaford-and-heartland-breaches/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: SQL Injection continues to trouble firms, lead to breaches | Cyber World Network http://www.veracode.com/blog/2009/08/sql-injection-blamed-for-7-11-hannaford-and-heartland-breaches/comment-page-1/#comment-3036 SQL Injection continues to trouble firms, lead to breaches | Cyber World Network Wed, 19 Aug 2009 10:19:04 +0000 http://www.veracode.com/blog/?p=907#comment-3036 [...] Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry. [...] [...] Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry. [...]

]]> By: MikeA http://www.veracode.com/blog/2009/08/sql-injection-blamed-for-7-11-hannaford-and-heartland-breaches/comment-page-1/#comment-3027 MikeA Tue, 18 Aug 2009 03:32:53 +0000 http://www.veracode.com/blog/?p=907#comment-3027 How about SQL injection to leave XSS in the database that an internal user would access. The XSS then goes out and pulls code/applets or other browser exploits. Because it's an internal site, users may not be as wary about warning signs and have lower security settings. Once the attacker has a single foothold on an internal machine, more-so if it's some form of privilaged user, it's just a matter of exploration and time. That's perhaps another way of leveraging an SQL vuln, although I would bet it's probably one of the easier methods. How about SQL injection to leave XSS in the database that an internal user would access. The XSS then goes out and pulls code/applets or other browser exploits. Because it’s an internal site, users may not be as wary about warning signs and have lower security settings.

Once the attacker has a single foothold on an internal machine, more-so if it’s some form of privilaged user, it’s just a matter of exploration and time.

That’s perhaps another way of leveraging an SQL vuln, although I would bet it’s probably one of the easier methods.

]]> By: Heartland Hackers Face The Music : Liquidmatrix Security Digest http://www.veracode.com/blog/2009/08/sql-injection-blamed-for-7-11-hannaford-and-heartland-breaches/comment-page-1/#comment-3026 Heartland Hackers Face The Music : Liquidmatrix Security Digest Tue, 18 Aug 2009 02:35:30 +0000 http://www.veracode.com/blog/?p=907#comment-3026 [...] another piece from Chris Wysopal on the technical aspects of the [...] [...] another piece from Chris Wysopal on the technical aspects of the [...]

]]>