SQL Injection with a Twist | Untrustworthy root certificates?
CyberInsights #69
SQL Injection bug in Zendesk’s SaaS Platform
Well, SQL injection bugs are nothing to write home about. We routinely ignore SQL injection news in CyberInsights. What caught our attention on this one is that Zendesk was already using SQL injection filters. How then did they have a bug?
Zendesk was using SQL queries nested within GraphQL. GraphQL is a query language built for APIs. With API driven software architecture, GraphQL is getting quite popular within the dev community.
The article goes on to explain how the researchers identified the bug. Definitely worth reading for read teamers and blue teamers.
Take Action:
Ask your dev team to identify queries that have multiple wrappers around them. Then, ask your security testing team to pay special attention to the APIs that the wrappers are used for.
Prepare a list of all APIs each of your products offer and ensure they get tested at regular intervals for security bugs. Routine pentesting might not get you there, you might need developers to work hand in glove with the security testers.
Trust all the way down…
In CyberInsights, we routinely talk about Zero Trust. However, achieving it is a tough ask. Read this post for some eye-openers on the concept of ‘trust’ in cybersecurity.
A company registered in Panama, TrustCor Systems, is allowed to act as a root certificate authority and is trusted by the most popular browsers.
A root certificate authority is a company that verifies if the certificates issued to websites (that little green lock that all trainings talk about). When you create a website, you get a certificate for it to show that it is genuine.
This company has the same officers, agents and partners as a spyware maker as per this post! This could mean nothing, but as cybersecurity professionals, isn’t it our job to verify? Read this post and this one for more info. We will follow this thread and keep you posted if there are further updates.
Take Action:
Keep an eye out for news about root CAs and their trust. Any news about their authenticity being questions them should trigger a little alert for all cybersecurity professionals.
Enjoyed reading? Receive this in your email every week.