Case in Point: Injection
In October 2014, Drupal announced a SQL injection vulnerability
7
that
allowed attackers to copy data and otherwise use the victim's Drupal
site maliciously. The severity was grave, as attackers immediately began
taking over Drupal servers.
The rapid reaction from the attacker community led to this dire warning
from the Drupal team (emphasis added):
" You should proceed under the assumption that every Drupal 7 website
was compromised unless updated or patched before Oct 15th, 11pm UTC,
that is 7 hours aer the announcement."
The event illustrates how easy it can be for an attacker to exploit
injection vectors once found; the extreme scale of those attacks; and the
catastrophic, system-altering impact they can have on a company and
its customers. There's no way to sugarcoat the threat of injection. Safe
input/output handling is at least as important as access control and any
other security service anywhere in the system, yet it is treated as almost
entirely optional in many systems. Consider all input guilty until proven
innocent by data sanitization and input validation, and make sure you
have strict output encoding in place.
5 http://sqlmap.org
6 https://portswigger.net/burp/
7 https://www.drupal.org/PSA-2014-003
