Recently, attacks on web applications have been on the rise, and there is good evidence that exploitation through SQL injection of web applications has brought about the tremendous surge in botnet infected machines. The focus of such attacks should result in us asking ourselves if we are at risk. If you have a web application it is quite possible that you are, and could likely be a target.

One of the fundamental best practices for being sure you don’t get compromised through a web application is to have strict input validation. What do I mean by “strict input validation?” Essentially, this means filtering the input to ensure the data presented by the user to the page does not contain characters that the application could mistake for code to be executed. Using input validation protects your site from executing arbitrary and malicious code that compromises your system.

Another big thing to consider is error control, often times SQL errors are displayed out in the open, or a directory listing is shown. A simple Google search for these error codes represent low-hanging fruit for a malicious attacker, allowing them to identify your website as a target. I would encourage everyone to take a close look at your web applications and make sure you are protected against this increased attacker focus.