[Owasp-singapore] RESEND: ways to exploit internal web applications

Ray gunblad3 at gmail.com
Tue Sep 1 00:16:37 EDT 2009


Wow, I got like 4 copies of the same email ;)

The reasons are pretty similar I'd say. One cannot assume that just because
it's internal access only, no one from outside can access the app (think
botnets, CSRF).  Furthermore there're human problems that need to be thought
out and guarded against, either by genuine mistakes/user idiosyncracies, or
by the typical disgruntled employee.

Good example of an "internal only" app still being vulnerable from outside:
http://www.gnucitizen.org/blog/router-hacking-challenge/

Ray.

On Tue, Sep 1, 2009 at 11:59 AM, spawn of soul calibur
<ruel555 at hotmail.com>wrote:

>  *note: apologies for missing the subject line*
>
>
> Hi Guys,
>
> A novice-question again.
>
> What are the ways to exploit internal web application? I know web
> applications which are external facing can be exploited by XSS, SQL
> injection etc. But if attackers cant even see the web application because
> its only available internally, then how can they be exploited?
>
> Basically, I am trying to justify the need to review our web application
> development practices. Thanks!
>
> Regards,
> Ruel
> ------------------------------
> Be seen with Buddy! Tag your picture and win exciting prizes! Click here<http://discover.windowslive.com/en-sg/messenger/messengeris10/#/be-seen-with-buddy>
>
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090901/ce5f4a33/attachment.html 


More information about the Owasp-singapore mailing list