Category: Database security

OWASP Tot Ten Web Application Vulnerabilities #6: Security Misconfiguration

Security misconfigurations of key application stack components such as the operating system, the web server and the application server are all potential gateways to attacks. Unfortunately for us, most security configuration vulnerabilities are not rocket science — they’re out there for everybody to learn and use (or misuse) them. Security Misconfiguration is also a way for privileged insiders to hide their malicious activity against their firm’s systems. Usually a security misconfiguration will compromise just some part of the system, but […]

OWASP Top Ten Web Application Vulnerabilities #3: Insecure Direct Object References

Insecure Direct Object References seems a pretty unwieldy term, but the way it compromises a web application is pretty straightforward. The attacker is usually an authorized system user, who simply modifies a parameter value that directly refers to a system object so it refers to another system object for which the attacker has no authorization. Potentially, an attack using this technique can compromise all data that the new parameter can reference. The root of this type of web application vulnerability […]

US-CERT Cyber Security Alerts

US-CERT is a U.S. government agency that provides response support and defense against cyber attacks. US-CERT is part of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). Although US-CERT’s goal is to support the government agencies to defend themselves against cyber attacks, the agency disseminates cyber security information to governments, industry and the public, free of cost. You can receive regular mailing lists of known vulnerabilities from US-CERT by going to http://www.us-cert.gov/and enrolling in their […]

OWASP Top Ten Web Application Vulnerabilities #4: Cross-Site Request Forgery (CSRF)

Cross-site request forgery or CSRF is a type of web application vulnerability wherein hackers trick authenticated users of your websites to submit information to a web application on behalf of the hacker without the legitimate user being aware of the fact. What the CSRF attack does is to trick the legitimate user into loading a hacker’s web page that uses the legitimate user’s credentials to perform malicious actions, masquerading as the user. For example, a successful CSRF attack will enable […]

SAN Critical IT Controls # 14: Wireless Device Control

While many companies are adept at securing their enterprise networks with routers, intrusion prevention and intrusion systems, wireless devices remain a very vulnerable to hacker attacks. Wireless devices are ubiquitous, and there are several ways hackers can exploit your wireless systems to gain access to internal networks. Unauthorized wireless access points in your network are just waiting to be exploited by hackers, who can gain access to your internal network by simply bypassing your security perimeter and connecting with wireless […]

OWASP Top Ten Web Application Vulnerabilities: #2: Cross-Site Scripting

Cross-site scripting, also referred to as XSS, is the most common web application security vulnerability. XSS vulnerabilities can result from anyone that is able to send untrusted data into your stem – this includes external and internal users and administrators. XSS vulnerabilities may exist in your code when your application doesn’t properly validate data sent by a user to a browser. Improper invalidation of user content allows attackers to send a text-based attack script to exploit the browser’s interpreter. Browser […]

SANS Top 20 Critical IT Controls. #13: Control Network Ports, Protocols and Services

You may think that since you have secured your network through firewalls and intrusion prevention devices, you must be secure. Not so fast! Attackers are constantly on the prowl, looking for any server or service they can exploit in your network. For example, a poorly configured web or mail server can be identified with an unauthorized external network scan. It’s not uncommon for a software package to automatically install an Apache server, for example, without the administrator or installer being […]

OWASP Top Ten Most Critical Web Application Risks. #1: Injection Flaws

The Open Web Application Security Project (OWASP) releases a list of the top ten web application vulnerabilities each year. OWASP is a non-profit open community dedicated to helping organizations develop and maintain trusty worthy web applications. The OWASP Top Ten represents the consensus option in the field about the most critical web application security flaws. Companies can perform web application vulnerability assessments to ensure they can find if those applications contain any of the vulnerabilities in the Top Ten list. […]

In Archive