To kick off this month of colossal “whoops-es” I thought I would tell you guys a story from way, way back when the web was young, and “developers” used notepad to write “web sites”. It was a time when everything was “web cool” and everyone in IT was playing foosball at the office and wearing flip-flops to their hip-cool jobs. It was around the fall of 1999.
While 1999 was “young” to a degree, the Web was 6 years in and had gone through a level of maturity and adoption that was nearly unparalleled as compared to other technology. Vulnerabilities were starting to be disclosed in 1994 and 1995 as security researchers began to realize the implications of this new protocol.
The CMS (Content Management System) was of course open to the world, but password-protected. Incidentally, the site was riddled with SQL Injection vulnerabilities, so not having the password really wasn’t a problem if you wanted to get into the site. Someone did just that.
There is one publicly documented SQLi in 1998, 0 in 1999, and 4 in 2000 according to OSVDB. People simply weren’t looking for SQL injection at this point. While RFP demonstrated that first SQLi in 1998, he was way ahead of his time. I’m not sure he or anyone else realized the floodgate that was about to open in front of them. The SPI Dynamics paper from 2002 titled “SQL Injection – Are Your Web Applications Vulnerable?” and Chris Anley’s “Advanced SQL Injection in SQL Server Applications” are possibly the seminal papers on SQLi that preceded the wave of SQLi vulnerability disclosures we would come to know and love. (For a complete history of early SQL injection including use of that term, check David Litchfield’s paper titled “Data-mining with SQL Injection and Inference“.) I find it hard to believe Rafal Los or anyone else knew the site was “riddled with SQL Injection vulnerabilities” in 1999, given there was possibly one public disclosure of such a vulnerability up to that point.
Anecdotes are good for conveying messages, but make sure they don’t have huge gaps in logic or facts. Else, it is easy to assume that the worst April fools joke is Rafal’s blog entry.