Cross-site scripting and SQL injection attacks are well-known threats for public-facing Web applications, but internal systems can be attacked as well. For example, about half of network management systems studied had these vulnerabilities, according to a report released today.
It all comes down to input validation, or lack of it, said Deral Heiland, research lead at Boston-based Rapid7, Inc. and one of the authors of the report.
Network management systems are in regular communication with the devices on a company’s network. But, because the communications are machine-to-machine people sometimes forget that the inputs still need to be checked to make sure there’s nothing weird or malicious in there.