Another week, another ransomware outbreak. On Tuesday, we saw another variant of ransomware spreading, worm-style, across unsecured networks within large organisations. As with the WannaCry outbreak in May, large global corporations have been affected, and infections have spread from their initially-compromised hosts across internal networks. NotPetya hasn't received as much press as WannaCry did, but from a security perspective it does, at the moment, look far more interesting.
Sanitisation of user input is essential for preventing SQL injection, regardless of the format of the supplied data. Today I'm going to look at SQL injection through a more obscure injection point: serialized PHP arrays. Taking inspiration from a finding in a recent test, I've created a small app which allows the user to upload a CSV file. This file is then converted to a PHP array, serialized and returned to the user as a hidden form field. Finally, this is posted back to the application where the supplied data is inserted into the MySQL database.
Cyberis is an innovative cyber security consultancy based in Tewkesbury. We deliver industry-leading technical assurance and cyber security advice, including penetration testing and simulated attacks, to our customers across a wide range of verticals.
We are hiring highly motivated and enthusiastic candidates to join our team of cyber security consultants providing high-quality targeted assurance, advice and guidance to our customers. Our vision is to build the most respected team in the information security industry.
Another ransomware attack hits, this time on a scale never seen before. The spread has gone viral across a large and crucial network – the network underpinning the UK's National Health Service.
There are three main differences between this attack and previous ransomware incidents.