By Julian Berton (
Recently, I presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).
The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:
This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.
When it comes to online security, there can be a lot of confusion over how to best protect an organisation's digital assets.
A lot of this comes from misunderstandings over just how malicious parties are able to gain access to privileged information in the first place.
Adding to this mix is the range of different terms used by professionals that may seem unfamiliar to those not actively involved in securing online assets.
So it is little surprise that some prospects may be a little nervous over just how an ethical hacking project is supposed to operate.
Perhaps the greatest difference is that instead of applying a suite of diagnostic tools – an activity that can be done in-house – a team is actively deployed to examine the security measures in place and recommend courses of action to eliminate the threats they pose.
No damage is done to the existing online infrastructure – rather the team takes on the role of a third party looking to gain access, then provides a detailed report on their findings along with a list of recommended actions.
In this way a firm can gain information on where their online assets are vulnerable in real terms and action targeted security upgrades before a dedicated attack has the chance to occur.
Penetration Testing Teams
As business systems develop over time, new standards in efficiency, usability and practicality tend to shape standard commercial practices.
This is the same across a number of areas for commercial enterprises, statutory corporations and industrial bodies alike – the benchmarks change according to the market environment.
When it comes to online security, it can be difficult for those inside an organisation to gain a clear understanding of just what they need to be doing to protect their digital assets and proprietary data.
This is because most internal protective measures taken by firms are often made publicly available, making it hard for managers to gain an insight into what constitutes as best practice.
This is where penetration testing and red cell services come to the fore – searching for vulnerabilities and hidden avenues and providing an in-depth report into a situation before it can be exploited.
On top of this, the team can take into account the unique attributes of an organisation when performing their unique audit – providing customised insights that can be made to match both the technical capacity and security budgets of their clients.
It is universally recognised that a brand that keeps good security measures in place is able to enjoy a better share of market confidence than one that publicly fails to manage the data it holds effectively.
While this may be an obvious marketing benefit of being seen to be conscientious in managing digital security, the financial effects can also be substantial.
Some firms may baulk at the prospect of ethical hacking – having a team of specialists delve into a system from the outside could seem counter-intuitive.
However, the benefits of this sort of activity are also quite weighty, as the trained professionals can uncover blind spots and security gaps before they are ever made public.
This helps to demonstrate a level of corporate responsibility that goes above and beyond legislative requirements, with a proactive stance that improves public perception and client morale.
On top of this, an ethical breach audit helps to serve as an investment in security – allowing the firm to make improvements to their defences and practices before a potentially expensive situation occurs.
In this way, good online security helps to act as a sort of digital insurance that protects against future events – a practice that is always good for business.