This report represents a security audit performed by Digital Jewels Limited. It contains information about the state of Internet-facing sites operated by Nigerian Banks. The report intends to highlight some of the commonly found threats and vulnerabilities on websites generally with focus on the Nigerian banking sector as a whole. The audit was performed on 20 network resources, 20 of which were found to be active and were scanned. There were 282 vulnerabilities found during this scan. Of these, 39 were critical vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 206 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems. There were 37 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on the banks’ networks. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities. Critical vulnerabilities were found to exist on 7 of the systems, making them most susceptible to attack. 17 systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 18 systems. It is interesting to note that no systems were free of vulnerabilities.
The 2013 OWASP Top Ten lists Injections and Cross-Site Scripting as part of the 3 most commonly detected vulnerabilities in web applications. Two common services, HTTP and MySQL containing at least 225 vulnerabilities were discovered across systems from different organisations during the period of the scan. A quick internet search shows numerous resources and tools are readily available to exploit such vulnerabilities with devastating results. For example, attackers can use common SQL vulnerabilities to access the admin panel for a website, run scripts, and even take control of the entire website and everything on it. This holds serious consequences for bank web applications that will usually have to interact with databases, such as lists of customers and their email addresses, or financial information. In summary, because web applications are globally visible, vulnerable hosts are very easy to find and exploits are relatively easy to develop, they present a large and attractive target for attackers. They may also provide a stepping stone into more sensitive parts of the victim organisation’s network.
CLICK HERE TO DOWNLOAD FULL REPORT (Report in docs.)