Problem Solved
In the full scan I ran against a site that used a SQL database, WebInspect looked at the parameters in a Web form. It then manipulated them and performed a SQL command injection, where client-supplied data makes its way into an SQL query string. The site had a bug that would let an attacker perform session hijacking with a hidden user ID parameter being passed in the form. A few minutes after the Webmaster's coders saw the report, they were able to issue a fix with a single line of JavaScript. The report helped the coders understand the problem--an improper parameter verification--so they could devise a solution.
|
|
I ran the assault scan on an unpatched default IIS server installation. You can see a report from the assault test here. It shows the output of the assault scan, including a detailed description of the vulnerability and how to patch it. Among other things, WebInspect found an Internet Printing Protocol buffer overflow. The report included a link to source code of a program that could execute this attack, and the original Microsoft and eEye advisory pages. The report also showed every e-mail address found (spam address harvesting), hidden pages and fields, comments in the code, forms and JavaScripts on the page.
WebInspect's advanced features include support for basic and NTML authentication and tools to encode or decode hex, unicode, base64 and md5.
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
