It is imperative that organizations and government entities are knowledgeable in securing web applications. Mis-configurations and lack of security controls can lead to information leakage, cross-site scripting, and many more vulnerabilities.
Over the years, web application vulnerability issues have grown. In 2014, there was a 0% likelihood of an insufficient transport layer protection vulnerability, but in 2015, the likelihood of insufficient transport layer protection, information leakage, cross-site scripting, respectfully, changed to 70%, 56%, and 47%. Research has shown that Retail Trade, Health Care/Social Assistance, Information, and Finance/Insurance web sites are most likely to experience vulnerabilities similar to the previously stated. SQL injections, where a command or query is sent by a malicious user through an entry field to manipulate a database, are a common attack method used to exploit web application vulnerabilities. It is a long established attack method that has been at the top of the OWASP Top 10 List of vulnerabilities since 2013.It continues to be successful because of misconfigurations and weaknesses in code parameters administrators establish for log-ins and search queries. In 2015, it was reported that there were over a million web attacks against people each day, and nearly 75% of all legitimate websites have unpatched vulnerabilities.
On December 1st 2016, the U.S. Election Assistance Commission (EAC) detected a security breach that led to the compromise of more than 100 access credentials, including some with the highest administrative privileges. Investigations had shown that the hacker was able to access the EAC system via a SQL injection flaw. With the threat of cyber-attacks increasing over the web daily, it is important to understand attack methods, such as SQL injections, and their potential impact to a system so that they can be avoided and thwarted.
When an SQL injection is executed there are additional risks that may impact the system. Cross-site Scripting (XSS) is a derivation of an SQL injection, in which malicious scripts are injected into presumably safe and trusted web site. According to OWASP, XSS flaws have become one of the most common web application vulnerabilities. Unfortunately, with injection type vulnerabilities, it is difficult to determine the potential impact they can cause. SQL injection exploits can range from text being changed on a web site to a complete compromise of a host’s server but, as with XSS exploits, the impact can affect the end user’s information and system as well. By the time these issues are identified a hacker could have potentially compromised the system and cleared all evidence of a security breach. Typical intrusion detection/prevention systems such as firewalls will not protect web applications against this vulnerability.
At WCG, we provide Web Application Assessment services that detect, assess, and thwart potential vulnerabilities in order to protect and improve the security of your web applications. Our goal is to ensure the safety of your web applications and users, so that you and your business can operate with a guaranteed sense of security – “Your Security…Our Priority.”