The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.
Nothing new here, most of the commercial webapp security tools do the same. They spider the site you are testing, and then try to embed script tags into each form elements.
Is that ATI icon on the menu bar of the tool ? :-p
New Tool, but old methodology
The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.
Nothing new here, most of the commercial webapp security tools do the same. They spider the site you are testing, and then try to embed script tags into each form elements.
Is that ATI icon on the menu bar of the tool ? :-p