Surviving the Week – 04/06/2012

An ebay Site is Vulnerable to SQL Injection

The eBay site in Southeast Asia is vulnerable to SQL Injection.
https://www.upsploit.com/index.php/advisories/view/UPS-2012-0003
Sites such as ebay have certainly done a lot of internal security review and testing, but they are still vulnerable to classic SQL Injection vulnerability. How good is your application?

SQL Injection Through HTTP Headers

SQL Injection has been a popular attack for quite some time. Traditionally user inputs were only attacked by SQL Injection but as developers started using HTTP request headers as input fields, attackers also started attacking request headers for SQL Injection. This article has a good list of request parameters which can be attacked by SQL Injection
http://packetstormsecurity.org/news/view/20824/SQL-Injection-Through-HTTP-Headers.html

Study: 72% of Developers See 2012 as the Year of Hybrid Apps

As the study suggests, developers are seeing more hybrid application development. As the development platform of the application changes, new attack scenarios and vectors are emerging. To test your application with latest attack vectors, You can use NTOSpider to test your application in completely automated fashion
http://creatingapps.telekomaustria.com/study-72-per-cent-of-developers-see-2012-as-year-of-hybrid-apps.html

 

WOA watch out! Don’t forget about Web Services (Going beyond XSS &  SQLInjection (SQLi)

In his blog post this week, Jared Day from eEye’s Any Means Possible research team provides detailed techniques for how security experts and pen testers should think about and test web services for security vulnerabilities. He explains how web services can be vulnerable –  that an attacker can “bypass server-provided client-side SQLi and XSS protections by simply sending the queries directly to the server”, and that too many developers don’t think about it that way and fatally rely on JavaScript parsers to filter out potentially malicious characters. He also discussed how web services can expose data that you don’t want exposed. In a very practical and useful way, Jared details descriptions about how to test web services for vulnerabilities. I agree with Jared, web services continue to be vulnerable and must be considered as part of any pen testing approach and considered in technology purchases. Thanks for the helpful post Jared!  http://www.sys-con.com/node/2234940

Cloud Computing Can Be More Secure

If you walked the RSA floor this year in San Francisco as I did, you might agree with Neil MacDonald. Every other booth at RSA said something about security in the cloud. I joked on Twitter that the cloud sounded so secure that I just might move my family there. Neil has posted a new blog on cloud computing that asserts “Why Cloud Computing Could Be More Secure Than What You Have Today”. He explains that if a cloud service provider does its job well, their application could be as secure as an on-premise application. In his blog, he shows a chart from a recent study, comparing the number of security incidents between on-premise and cloud applications. This chart not only highlights the parity between on-premise and cloud attacks, but it also shows that web application security attacks as the 2nd most common type of attack in their study after brute force attacks. 71% of Alert Logic’s customers have had web application security breaches in the cloud and 65% have had web application security breaches with on-premise applications. Neil promises to continue to look for independent studies that show similar trends. We will look forward to continued insights from Neil as always. Complete URL: http://blogs.gartner.com/neil_macdonald/2012/03/31/cloud-computing-can-be-more-secure/

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.


*