So mid-February it was announced that eBay had some exploitable parts. Not cool! Guess what they involved? One had cross-site scripting (XSS) and another had SQL Injection. A third, that may still be unpatched, is a cross-site request forgery (CSRF) hole. Huh. Surprise surprise! These are the top holes, and have been railed about for years, literally. And here is another example of a big company with lots of developers with those old holes in place. Granted CSRF is tricky and sorta new, at least newly being exploited. But XSS and SQL Injection? Wow. The holes were in rather non-standard pages, but doesn't the mini basement window at the back of your house still get you in, where you can unlock the front door from the inside?
No more excuses! Patch those holes BEFORE you become a news headline! Oh, speaking of which: http://www.esecurityplanet.com/headlines/article.php/3866011/eBay-Vulnerabilities-Found.htm
Here is a good paper on what the top holes are and how to fix 'em: http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf. And in the coming weeks I'll give a full explanation of SQL Injection and CSRF to help you if you need it.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment