Black Hat 2010: 10 Security Hotspots for CIOs - Web-Based Attacks Gain Power
(
Page 10 of 11 )
Web-based attacks remain a hot topic. The Google Web Toolkit (GWT), for example, allows for some of the quickest, slickest web-based applications to be built today. But the framework, built entirely in JavaScript, provides significant support for remote procedure calls (RPC). While the engineer has the option to securely implement the RPC, it turns out that insecure remote functionality is very common via the GWT. And, you guessed it, these insecure implementations result in vulnerabilities that can be exploited to compromise these pretty, slick web applications.
Even with the PCI requirement to store cardholder data in an encrypted fashion, hackers have found ways to bypass database encryption methods by using SQL injections through web applications in order to gain an escalation of privilege. With these newly acquired SYS-level privileges, hackers can obtain clear text data from an Oracle database backend – regardless of whether or not the data is stored as encrypted content in the database.
The standard response to these types of risks include employing web filtering, application control, and vulnerability assessment technologies, coupled with selecting securely built applications from your business solution vendors. If your organization is building custom web applications, these applications should be built using secure coding best practices while leveraging tools and services to validate that what has been built was done securely.
test
