HNS MAIN FEED
Tuesday, 20:12 EST
- OpenDNSSEC 1.0.0 released
- Microsoft releases giant patch collection
- 81% percent of e-mail links to malware
- Unaware of the dangers, most teens share personal info online
- Data harvested from Facebook used in boiler room scams
- A closer look at USB Secure 1.3.0
- Safety tips for online dating
- Researcher hacks security encryption chip found on millions of PCs
- Is authenticated XSS a problem?
- Online shopping safety: Consumers hold retailers responsible
- Seagate ships the Savvio 10K.4 hard drive
- Political hacktivism and the exploitation of tragedies is on the rise
Web 2.0 Threats and Risks for Financial Services
Web Services enumeration
Web Services are picking up in the financial services sector and are becoming part of trading and banking applications. Service-oriented architecture is a key component of Web 2.0 applications. WSDL (Web Services Definition Language) is an interface to Web services. This file provides sensitive information about technologies, exposed methods, invocation patterns, etc. that can aid in defining exploitation methods. Unnecessary functions or methods kept open can spell potential disaster for Web services. Web Services must follow WS-security standards to counter the threat of information leakage from the WSDL file. WSDL enumeration helps attacker to build an exploit. Web Services WSDL file access to unauthorized users can lead to private data access.
XML poisoning and Injections
SOAP, XML-RPC and REST are the new standard protocols for information-sharing and object invocation. These standards use XML as underlying sources and financial applications use these standards for client-to-server or application-to-application communication. Not uncommon is the technique of applying recursive payloads to similar-producing XML nodes multiple times. An engine’s poor handling of XML information may result in a denial of services on the server.
Web services consume information and variables from SOAP messages. It is possible to manipulate these variables. For example, if
CSRF with Web 2.0 applications
CSRF allows transactions to be carried out without an end user’s consent, making them one of the most effective attack vectors in financial applications. In Web 2.0 applications Ajax talks with backend Web services over XML-RPC, SOAP or REST. It is possible to invoke them using GET and POST methods. In other words, it is also possible to make cross-site calls to these Web services and in doing so, compromise a victim’s profile interfaced with Web services. CSRF is an interesting attack vector that takes on a new dimension in this newly defined endpoints scenario. These endpoints may be for Ajax or Web services but can also be invoked by cross-domain requests. Key financial transactions cannot depend simply on authenticated sessions, but must take extra care to process information, either by manually validating the password or by using CAPTCHA.
<< Prev. page 1 | 2 | 3 | 4 | Next page >>
- A closer look at USB Secure 1.3.0
- Is authenticated XSS a problem?
- A closer look at File Encryption XP 1.5
- Corporations should follow the goverment's lead on attribution of cyberattacks
- IDS legacy is institutionalized failure
