Netsparker's Web Application Security Blog

Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Category: Web Security Readings - Last Updated: Tue, 18 Sep 2018 - by Robert Abela

Watch episode #572 of Enterprise Security Weekly in which Sven Morgenroth, one of Netsparker's Security Researchers, talks about data types and type comparisons in PHP. Sven then demonstrates vulnerabilities that can arise due to loose PHP comparisons, including Authentication Bypasses, crypto-related flaws and Hashing Algorithm Disclosure. Read More

Vulnerability Assessments and Penetration Tests – What's the Difference?

Vulnerability Assessments and Penetration Tests – What's the Difference?

Category: Web Security Readings - Last Updated: Thu, 06 Sep 2018 - by Dawn Baird

This blog examines the difference between vulnerability assessments and penetration tests by defining both, and explaining the different results each produces. It also contains advice as to which approach your organization should adopt, and the scenarios that help determine this choice. There's guidance on which to use and how much it might cost. Read More

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Category: Web Security Readings - Last Updated: Thu, 30 Aug 2018 - by Ziyahan Albeniz

In this blog post, our Security Researcher Ziyahan Albeniz examines the latest Chrome release, which makes secure web connections the new standard by checking the validity of secure TLS certificates. This article examines encryption keys, certificates and certificate authorities, HSTS, HPKP, SRI and CSP, and concludes with some code examples. Read More

Leverage Browser Security Features to Secure Your Website

Leverage Browser Security Features to Secure Your Website

Category: Web Security Readings - Last Updated: Tue, 14 Aug 2018 - by Ziyahan Albeniz

On June 27, 2018 Ticketmaster UK announced a data breach incident. This time, one of JavaScript's unexpected limitations prevented a security incident – at least for Turkish users. This blog post discusses how leveraging browser security features, such as Subresource Integrity and Content Security Policy could have secured their website. Read More

What the Reddit Hack Teaches Us About Web Security

What the Reddit Hack Teaches Us About Web Security

Category: Web Security Readings - Last Updated: Tue, 14 Aug 2018 - by Ziyahan Albeniz

Reddit announced that they had been the victim of an elaborate hack. The attackers accessed email digests of August 2018 and the entire 2007 database backup which included old salted and hashed user passwords. They also compromised a few accounts of Reddit employees by intercepting the SMS used in 2FA. Read More

Exploiting a Microsoft Edge Vulnerability to Steal Files

Category: Web Security Readings - Last Updated: Wed, 01 Aug 2018 - by Ziyahan Albeniz

This blog post documents our Security Researcher Ziyahan Albeniz's experiment in exploiting a Microsoft Edge browser vulnerability. He explains how a combination of SOP, the ability to email clickable links and a vulnerability in both the Windows Mail and Calendar applications actually enable the exploit. It includes his Proof of Exploit video. Read More

Ferruh Explains Why Web Application Security Automation is a Must in Enterprises

Category: Web Security Readings - Last Updated: Wed, 25 Jul 2018 - by Dawn Baird

Watch episode #98 of Enterprise Security Weekly, in which Ferruh Mavituna, our CEO, talks about penetration testing versus dynamic scanning tools, such as Netsparker; the differences between Waterfall and Agile methodologies; addressing vulnerabilities early in the SDLC; static integration; accuracy and trust; bug bounties; and workflow management. Read More

What is an osquery Injection and How Does it Work?

Category: Web Security Readings - Last Updated: Thu, 19 Jul 2018 - by Omer Citak

This blog post examines osquery, a framework that enables developers to write SQL-based queries that explore system data. It includes instructions for how to install osquery on the Ubuntu operating system. It also explores what osquery allows you to do and concludes with an examination of the osquery library and injection. Read More

Server-Side Template Injection Introduction & Example

Category: Web Security Readings - Last Updated: Thu, 12 Jul 2018 - by Sven Morgenroth

This article introduces Server Side Templates and explains why and how they can be susceptible to Server-Side Template Injection vulnerabilities. It includes examples of HTML, PHP and CSS code and concludes with a list of recommendations on how to protect your web applications from attacks that exploit SSTI vulnerabilities. Read More

Ferruh Mavituna Interviewed About Web App Security by Byron Acohido

Category: News - Last Updated: Thu, 28 Jun 2018 - by Robert Abela

Ferruh Mavituna is interviewed about the growing success of Netsparker, and how Netsparker has anticipated and adapted to some of the largest trends in the digital transformation. Netsparker's focus on web apps, cloud based environments, and scanning to scale, all contribute to its success, as well as its core focus on automation and accuracy. Read More

Sumeru Solutions – Netsparker Case Study

Category: News - Last Updated: Thu, 21 Jun 2018 - by Robert Abela

Sumeru Solutions is an software development company that makes banking and information security solutions, and mobile apps. They selected Netsparker to automate and speed up their web scanning processes because of its rapid configurability, ease of use, reliability, lack of false positives, and ability to handle a larger range and scale of products. Read More

Ferruh Mavituna Is Interviewed About Netsparker at RSA Conference 2018

Category: News - Last Updated: Fri, 15 Jun 2018 - by Netsparker Team

Ferruh Mavituna chatted with John Dasher at the RSA Conference 2018 about Netsparker's powerful ability as a tool to find web application security vulnerabilities accurately, quickly, early, and automatically, in a way that brings scalability, visibility and connectivity to the entire security scanning process, from planning to product deployment. Read More

May 2018 Netsparker Update – New plans, UI & Single Sign-on Support

Category: Releases - Last Updated: Thu, 24 May 2018 - by Robert Abela

May 2018 Netsparker update – New Netsparker Team and Enterprise plans, new UI for Netsparker Desktop, Single Sign-On support and Smart card support in authenticated scans are just a few of the new features and updates we have included in this release. Read these release notes for more information. Read More

Netsparker Plans & Editions Integration

Category: Product Docs & FAQS - Last Updated: Thu, 24 May 2018 - by Robert Abela

The Netsparker web application security solution is available via three different plans through which users will have access to both Netsparker Desktop and Netsparker Cloud. Plans also allow users to easily share scan and vulnerability data between the two editions of Netsparker. Read More