Freely subscribe to our NEWSLETTER

Neil, a Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigator (CHFI), says:

“Code weakness on e-commerce sites is the single greatest vulnerability exploited by hackers to directly compromise and illegally extract credit card and personal data online, so it comes as no surprise that it has been used to such dramatic effect in the case reported today.

“The problem is ‘SQL Injection’. If an SQL database cannot deal with escape characters* then it is vulnerable to the injection of variables and strings that will give hackers direct access to data. Hackers can extract data from a vulnerable database by simply heading onto the login page and entering an exact string of code. This string selects a particular user’s password and potentially their credit card details. This occurs because the input into the form in the webpage is unverified or unsanitised.

“To resolve SQL injection issues there needs to be specific lines of code that deal with escape characters. For all other code weaknesses it is best to ensure that all the website development complies with OWASP (Open Web Application Security Project), which provide guidelines to resolve all the major known web application vulnerabilities.”

O’Neil is also available to discuss how it is not only SQL mis-configurations that provide entry points into databases. According to O’Neil a significant number of the web applications used to process data and user input is based on proprietary code (Java, PHP, Perl, C##, ASP etc) and O’Neil warns that developers that do not write the code with all the appropriate security principles embedded (e.g. memory management, input integrity, access controls, stored procedures etc) will be left with a fundamental weakness in their web code and scripts.

*An escape character is a single character designated to invoke an alternative interpretation on immediately subsequent characters in a character sequence