* Vitor Andrade Santos
Currently, more than half of small, medium or large companies have a website, this is what a publication of the CGI (Internet Steering Committee in Brazil) points out.
“Among small, medium and large companies, the 2017 ICT Companies survey shows that 55% of companies claimed to have a website, a proportion that was 57% in 2015, which represents a scenario of stability. In the case of medium-sized companies, the presence on the web through websites is 78% and large companies, 89%. ”
Thus, we can admit that having a website on the internet is the best way to expose your products or services to customers, but it also constitutes a gateway for hackers to extract data from their customers and even bankrupt a company.
Current situation of development teams
Many companies have their own team of developers, who are responsible for creating web applications. Usually, this team is divided into front-end and back-end, which are responsible for making the site beautiful and functional, respectively.
From the moment the product (website) is ready, in most cases, it is immediately published to the entire planet, and can be reached by anyone through their notebook, cell phone, tablet, smart TV, smartwatch and by here it goes ... That is, accessing them is extremely easy, with just an internet connection (which everyone currently has).
Negligence from developers | Hackers' Treasure
Due to the lack of tests in the applications, the vulnerabilities in them are exposed and, in most cases, in-depth knowledge is not necessary to exploit them.
Developers usually make comments on their applications in order to make the code more organized, but some insert sensitive information, such as database passwords, usernames, passwords, etc. However, anyone can access this information with just one key (F12), so that someone in possession of this information can easily gain access to data that should be confidential.
Some sites have the function that allows the user to access a certain file inside the server, but if this functionality is not really secure, anyone with bad intentions can access other files stored on the server and even the operating system itself.
Another extremely common and highly dangerous vulnerability occurs when a user is able to insert texts that are interpreted as instructions, this is because the developers do not properly sanitize the data entered, so by inserting the correct character set, the attacker may be able to manipulate the website. a way that it gets access to sensitive prey data.
Conclusion
As has already been proven, a large number of companies have their website on the internet, but when the application is created it is not passed on to a security team to perform the appropriate tests to check whether there is a vulnerability or not, as discussed previously, some loopholes they do not need specific tools or a deep knowledge to explore them.
* Vitor Andrade Santos is a trainee red team | [SAFEWAY]
Regarding the [SAFEWAY]
THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!
