Government sites security
In preparation for the seminar about testing web application security I decided to go through the websites of ministries, federal agencies and services to see how things are going with security.
At the same time, I did not pay attention to whether the whole server could be attacked, I checked only the sites themselves for the presence of basic vulnerabilities - XSS, SQL injection, command injection. I looked not all forty pieces, that is, about half. Of them:
But here's what I would like to know - is there any kind of unified service that is responsible for the information security of all the websites of ministries and departments (at least for security, functionality aside)? Or is everyone responsible for himself?
At the same time, I did not pay attention to whether the whole server could be attacked, I checked only the sites themselves for the presence of basic vulnerabilities - XSS, SQL injection, command injection. I looked not all forty pieces, that is, about half. Of them:
- 5 sites subject to passive XSS,
- 1 site subject to blind SQL injection,
- 1 site subject to SQL injection with the possibility of implementing UNION,
- 3 sites reveal some details of the internal device, 2 of them provide access to phpinfo, and 1 gives error messages with debug information,
- 1 site is subject to the introduction of commands, this is the most serious problem of all that I met.
But here's what I would like to know - is there any kind of unified service that is responsible for the information security of all the websites of ministries and departments (at least for security, functionality aside)? Or is everyone responsible for himself?
')
Source: https://habr.com/ru/post/66093/
All Articles