In their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, a security researcher said at the CanSecWest\/core06 conference in Vancouver on Thursday. During a conference presentation, researcher Alex Stamos outlined how a number of Web services technologies, including the AJAX (Asynchronous JavaScript and XML) and the XQuery query language could be exploited by hackers to dig up secret information and attack systems. And hackers are catching on. Last month, security vendor Symantec issued its biannual Internet Security Threat report, noting that Web applications represent an increasingly attractive target for attackers. Of all vulnerabilities disclosed in the last six months of 2005, nearly 70 percent were associated with Web applications, Symantec said.<\/p>\n","protected":false},"excerpt":{"rendered":"
During his talk, he described an attack where a user could enter malicious code in a Web form and then get that code to run by calling up the company’s customer service number and tricking a representative into inadvertently executing it. Stamos also showed how Web services requests could be used to conduct denial of service attacks, either by creating malicious XML queries that used massive amounts of memory or by bombarding databases applications with more requests than they can handle.<\/p>\n
This trend is of particular concern to smaller companies that may not have the budgets to fully test the security of their software.<\/p>\n
http:\/\/www.infoworld.com\/article\/06\/04\/07\/77230_HNwebservicesrisks_1.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-2386","post","type-post","status-publish","format-standard","hentry","category-warnings"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2386"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2386\/revisions"}],"predecessor-version":[{"id":4873,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2386\/revisions\/4873"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}