<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcsuuvfw300000gkyg9tnx0uc_3f7v/njs.gif?dcsuri=/index.php/c/a/Security/Black-Hat-2010-10-Security-Hotspots-for-CIOs-to-Watch-568046/9&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.cioinsight.com&amp;WT.qs_dlk=XGflUrzbU7qqc3LsUzMAkQAAAAI&amp;">

Web-Based Attacks Gain Power

By Sean Martin  |  Posted 08-10-2010 Print

Web-based attacks remain a hot topic. The Google Web Toolkit (GWT), for example, allows for some of the quickest, slickest web-based applications to be built today. But the framework, built entirely in JavaScript, provides significant support for remote procedure calls (RPC). While the engineer has the option to securely implement the RPC, it turns out that insecure remote functionality is very common via the GWT. And, you guessed it, these insecure implementations result in vulnerabilities that can be exploited to compromise these pretty, slick web applications.

Even with the PCI requirement to store cardholder data in an encrypted fashion, hackers have found ways to bypass database encryption methods by using SQL injections through web applications in order to gain an escalation of privilege. With these newly acquired SYS-level privileges, hackers can obtain clear text data from an Oracle database backend - regardless of whether or not the data is stored as encrypted content in the database.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.