XSS Auditor

Do you really think you are safe from web vulnerabilities or that they are just minor problems?

A few days ago Sophos, one of the world’s most renowned security companies, found an SQL Injection in their product. What is worse, they found the vulnerability because malicious hackers have been using it to attack their clients.

What Happened to Sophos?

Sophos discovered that malicious hackers mounted attacks on their hardware product called Sophos XG Firewall. The vulnerability that allowed them to do so turned out to be an SQL Injection. This vulnerability, in turn, lead to another very serious issue: remote code execution.

Attackers were able to use this SQL Injection to download the Asnarok trojan (read the whole technical description here). This trojan was then able to steal the login credentials of firewall users.

The vulnerability has been hotfixed and all users of the Sophos XG Firewall have been asked to download the firmware update.

What Does This Mean to You?

  • If a security giant such as Sophos can fall victim to an SQL Injection and RCE, so can you. Not to mention other vulnerabilities.
  • SQL Injections have been known for more than 20 years and most programming languages have countermeasures. And still, they happen.
  • An SQL Injection can lead to someone taking over your system and installing a trojan on it. But it can have even more fatal consequences.

What Can You Do?

The only way to protect yourself against such attacks is to regularly check for vulnerabilities. Of course, you can do it manually, performing penetration testing, but it’s much more efficient to automate the process with a vulnerability scanner. And Acunetix does it best. So give us a try.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.