Netsparker's Web Application Security Blog

Netsparker Announces New Application & Websites Discovery Service

Category: News - Last Updated: Tue, 11 Dec 2018 - by Dawn Baird

Netsparker announces a new feature for Netsparker Enterprise that acts as an application and service discovery tool. Netsparker Radar – Application & Service Discovery Service enables you to locate your enterprise's online collateral, websites and services, which you can then add to Netsparker to scan, helping you reduce threats and increase security. Read More

Netsparker and GitLab Integration

Category: News - Last Updated: Tue, 11 Dec 2018 - by Robert Abela
Netsparker and GitLab Integration

Netsparker announces a new integration capability between Netsparker Enterprise and GitLab. GitLab is a web-based Git repository manager that provides CI/CD pipeline features, enabling you to add CI configuration to your source control using just one file, and gain access to our advanced integration functionality. Read More

Tabnabbing Protection Bypass

Category: Web Security Readings - Last Updated: Thu, 06 Dec 2018 - by Ziyahan Albeniz
Tabnabbing Protection Bypass

This blog post includes a discussion of URLs, their structure, how they can contain sensitive information and why it's so difficult to parse them without introducing vulnerabilities. We include an example of how a parsing error led to a Window Opener Protection Bypass. Read More

Bypass of Disabled System Functions

Category: Web Security Readings - Last Updated: Tue, 04 Dec 2018 - by Netsparker Security Team
Bypass of Disabled System Functions

In this article, our Security Researchers examine the explicit code of the disabled system functions bypass, including the parameters of the imap_oprn function, the IMAP server types and SSH connection, and the -oProxyCommand in the exploit. They conclude with some methods to protect yourself against this bypass method. Read More

Fragmented SQL Injection Attacks – The Solution

Category: Web Security Readings - Last Updated: Thu, 29 Nov 2018 - by Ziyahan Albeniz
Fragmented SQL Injection Attacks – The Solution

In this blog post, we discuss the research on Fragmented SQL Injection where the hackers control two entry points in the same context in order to bypass the authentication form. Our security researcher looks at the importance of single quotes in the SQL injection attacks and the solution, Prepared Statements, also known as Parameterized Queries. Read More

Web Browser Address Bar Spoofing

Category: Web Security Readings - Last Updated: Thu, 15 Nov 2018 - by Ziyahan Albeniz
Web Browser Address Bar Spoofing

This blog post looks at two address bar spoofing incidents. The first involved the Homograph vulnerability, where attackers used the IDN feature to trick users by imitating legitimate characters. The second involved Edge and Safari, in which visitors redirected to another website were intercepted by attackers. Code samples are included. Read More

The Powerful Resource of PHP Stream Wrappers

Category: Web Security Readings - Last Updated: Wed, 14 Nov 2018 - by Ziyahan Albeniz
The Powerful Resource of PHP Stream Wrappers

This blog post examines how PHP stream wrappers can be used to bypass keyword based blacklists. It includes an examination of the generic functions that can be used to interact with streams, the concept of stream-context and steam filters. It also looks at PHP wrappers in RFI attacks and bypassing blacklists. Code samples are supplied throughout. Read More

Pros and Cons of DNS Over HTTPS

Category: Web Security Readings - Last Updated: Thu, 01 Nov 2018 - by Sven Morgenroth
Pros and Cons of DNS Over HTTPS

This blog post introduces the Domain Name System and what happens when a browser issues a DNS request. It then explains the technical basics of its successor, DNS Over HTTPS (DoH), why it is unavailable on your Android phone and how to circumvent this. Finally, it examines whether it enhances security and privacy, and how to disable it. Read More

The Dangers of Open Git Folders

Category: Web Security Readings - Last Updated: Thu, 18 Oct 2018 - by Ziyahan Albeniz
The Dangers of Open Git Folders

This blog post examines the research of Finnish computer scientist Vladimir Smitka on the dangers of open version control system Git files. We discuss his results, how prevalent it is, why the structure of Git makes it so convenient for hackers, how you can check if your Git folder is open and how to protect your folders. Read More

NoScript Vulnerability in Tor Browser

Category: Web Security Readings - Last Updated: Thu, 11 Oct 2018 - by Ziyahan Albeniz
NoScript Vulnerability in Tor Browser

This blog post discusses the 0-Day vulnerability introduced into the Tor Browser's NoScript script blocking extension, originally designed to allow users to block JavaScript from running, and how it could have been disabled it in order to potentially unmask Tor users with a JavaScript exploit. It includes an explanation of the exploit code. Read More

September 2018 Update for Netsparker Enterprise

Category: Releases - Last Updated: Wed, 03 Oct 2018 - by Robert Abela

This blog post announces new features, improvements, security checks, improvements and bug fixes in the latest Netsparker Enterprise release of September 2018. Highlights include: integration with ServiceNow and Slack, a new Report Policy Editor, and Security Check updates similar to those just released in Netsparker Standard 5.1. Read More

September 2018 Update for Netsparker

Category: Releases - Last Updated: Tue, 25 Sep 2018 - by Robert Abela

This blog post announces new features, improvements, security checks, improvements and bug fixes in the latest Netsparker Desktop release of September 2018. Highlights include: a new bulk export to cloud feature, send to integration support for ServiceNow and custom field support for send to fields. Read More

How to Integrate Netsparker Cloud with Slack

Category: Product Docs & FAQS - Last Updated: Tue, 25 Sep 2018 - by Duran Serkan Kilic

Slack is a team messaging system that facilitates communication in enterprise teams with a series of channels. This topic explains how to integrate Netsparker Cloud with Slack, manage integrations, configure a notification to report security issues to a Slack channel or Direct Message (DM) and view notifications while creating a scan. Read More