6
Introduction to Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner
Network security defense provides no protection against web application
attacks since these are launched on port 80 (default for websites) which has
to remain open to allow regular operation of the business.
For the most comprehensive security strategy, it is therefore imperative that
you regularly and consistently audit your web applications for exploitable
vulnerabilities.
The need for automated web application security scanning
Manual vulnerability auditing of all your web applications is complex and
time-consuming. It also demands a high-level of expertise and the ability to
keep track of considerable volumes of code and of all the latest tricks of the
hacker’s ‘trade’.
Automated vulnerability scanning allows you to focus on the more
challenging issue of securing your web applications from any exploitable
vulnerability that jeopardizes your data.
1.2
Web Attack Examples
Well-known sites that were open to web application attacks include:
TJX, the owner of clothing retailers T.J. Maxx, Marshall's Inc. suffered the
largest known data theft to date. Hackers invaded the TJX systems resulting
in at least 45.7 million credit and debit card numbers stolen over an 18-month
period. As well as the stolen personal data, including driver's license numbers
of another 455,000 customers who returned merchandise without receipts.
TJX first learned that there was suspicious software on its computer system
on Dec. 18, 2006, however the stolen data covered transactions dating as far
back as December 2002.
In September 2006 hackers pilfered the personal data of nearly 19,000 DSL
equipment customers through a vulnerability in AT&T’s online store. In
a
statement, AT&T attributed the motive of the attack to a criminal market for
illegally obtained personal information. In fact, the data also included
customers’ credit card details.
In 2006, ChoicePoint, Inc. paid $10 million in civil penalties and $5 million in
consumer redress after the personal financial records of more than 163,000
consumers in its database had been compromised.
Last year, the University of Southern California spent more than $140,000 to
notify affected students and also shut down the applications website for 10
days after a hacker gained online access to the admissions website.
In June 2004, security analyst ZapTheDingbat pointed out that MasterCard,
Natwest, Barclaycard, WorldPay, the GCHQ, and various other sites had
missed some basic gaps in their security including the cross-site scripting
vulnerability. This flaw, for example, allows hackers to send users to the
legitimate site while displaying content and functionality of the hacker’s
choice.
In June 2003 fashion label Guess and pet supply retailer PetCo.com were
notoriously found to be vulnerable to the SQL injection vulnerability. This
resulted in PetCo leaving as many as 500,000 credit card numbers open to
anyone able to construct this specially-crafted URL.
One hacker
gained access to over five million credit card accounts in
February 2003 through a web application attack. Similarly, in December
2002, a vulnerability at Tower Records website laid bare the company’s
customer orders database.
 |
 |
 |