

Google crawler tricked into performing SQL injection attacks   - coloneltcb
http://arstechnica.com/security/2013/11/google-crawler-tricked-into-performing-sql-injection-attacks-using-decade-old-technique/

======
Mithrandir
Previous discussion:
[https://news.ycombinator.com/item?id=6676859](https://news.ycombinator.com/item?id=6676859)

------
utnick
This doesn't make any sense... why wouldn't the attacker just do the attack
themselves? What is the advantage to this?

~~~
patio11
You don't leave forensic evidence of the attack. You don't have automated IDS
systems blacklist your IPs. You get a one-to-many leverage on the backs of
Google's prodigious crawler farm. You potentially goad the target into manual
or automatic decisions which penalize Google, thereby inducing Google to
automatically retaliate with decisions which inflict business damage upon the
target, which may be a goal of the attack. etc, etc.

------
likeasir
you can block areas of your site accessible to bots with the robots.txt

------
rhubarbquid
> The only solution is to not be vulnerable to SQL injection attacks.

If this is your reason for fixing SQL injection vulnerabilities, you're doing
something wrong.

------
moepstar
's kinda ironic that Michael Zalewski now works for Google o_o

