The Spider Labs division of security firm Trustwave conducts over 2,000 penetration tests a year looking for IT security risks. While some audits find normal flaws, there are some that lead to the discovery of extraordinary types of enterprise security risks.
Speaking at the SecTOR security conference in Toronto last week, Nicholas Percoco, senior vice president and head of SpiderLabs explained that penetration scans need to look beyond the surface to find business logic and other deeply ingrained flaws.
One of the more interesting hacks that Spider Labs has done is called “Do You Want Fries with that Hack?” The penetration testing team was conducting a test for a large restaurant chain that does take-out orders over the Internet. The initial penetration testing sweep revealed that the Web application used Java and Flash and was not at risk from any common exploits or SQL Injection issues.
Ryan Linn, senior security consultant with SpiderLabs, noted however that the credit card processing was handled by a third party via JavaScript and the testers were able to manipulate payment info as it passed to the third party processing firm.
“What was missing was JavaScript validation,” Linn said. “So we adjusted the price of the food and we were able to get a meal delivered for $.50 cents.”