Testing and Findings
We performed the testing after work hours as specified. Over the following weekend, we held a conference call with the client to convey our findings and recommendations. We did this over the weekend and by phone because of the time crunch. There's no problem with reporting results in this fashion, but we usually prefer to complete at least a brief written report when sharing results with clients.
Our main findings were as follows:
- Cross-site scripting and SQL injection vulnerabilities. Both XSS and SQL injection vulnerabilities were identified, even though the client claimed to have followed secure coding practices and performed a security code review on the application source code. Indeed, they probably did do what they claimed; however, these vulnerabilities have become almost ubiquitous in today's computing environments, and the fact that they pop up even after a secure coding effort is not surprising or even uncommon.
- Lack of an intrusion-detection and/or intrusion-prevention system (IDS/IPS). This is the hosting provider's responsibility, according to information we received from the client. In other words, the client expected that the hosting provider would deploy an IDS to secure the servers hosting their web application.