Netsparker's Web Application Security Blog

June 2019 Update for Netsparker Enterprise

Category: Releases - Last Updated: Mon, 17 Jun 2019 - by Gokhan Demir

This blog post announces updates for June’s 2019 release of Netsparker Enterprise. Highlights include auto update support for scanner agents, API endpoints for managing issues, and a new Managing Issues (Restricted) permission. There are also new scan policies for PCI and OWASP, a Best Practice severity level, and support for OAuth2 and RESTful API. Read More

Announcing the Enterprise Web Security Best Practices Whitepaper

Category: Web Security Readings - Last Updated: Fri, 14 Jun 2019 - by Netsparker Security Team
Announcing the Enterprise Web Security Best Practices Whitepaper

This blog post announces the publication of a whitepaper by Netsparker on Enterprise Web Security Best Practices: How To Build a Successful Security Process. This whitepaper provides instructions on how to build and scale a successful security process. Included is a best practices workflow compiled from industry leaders from years of experience. Read More

Ferruh Mavituna Talks About Discovering Websites on Business Security Weekly #129

Category: Web Security Readings - Last Updated: Tue, 11 Jun 2019 - by Allen Baird
Ferruh Mavituna Talks About Discovering Websites on Business Security Weekly #129

Netsparker CEO Ferruh Mavituna is interviewed on Business Security Weekly about the importance of an asset discovery service. He discusses the need for a multi-layered approach, the place of discovery in the SDLC, the use of Netsparker as a pre-purchase software check, the importance of visibility and accountability, and the need for automation. Read More

Celebrating 10 Years of Netsparker

Category: News - Last Updated: Thu, 06 Jun 2019 - by Netsparker Security Team
Celebrating 10 Years of Netsparker

This month, Netsparker celebrates its 10th birthday. In those 10 years, we’ve grown into a market leader and have helped hundreds of organisations along the way. Our Netsparker editions have developed significantly in this decade to respond to different security threats and the need to scale up for enterprises. Thanks for joining us on the journey! Read More

Frame Injection Attacks

Category: Web Security Readings - Last Updated: Thu, 30 May 2019 - by Ziyahan Albeniz
Frame Injection Attacks

This blog post examines Frame Injection attacks. It describes briefly the history of the invention and development of frames, what Frame Injection attacks and hijacks mean in terms of security, and what you can do to prevent them. It also compares Frame Injection attacks with Cross-site Scripting, which is often a priority for bug bounty hunters. Read More

SameSite Cookies by Default in Chrome 76 and Above

Category: Web Security Readings - Last Updated: Fri, 24 May 2019 - by Ziyahan Albeniz
SameSite Cookies by Default in Chrome 76 and Above

The SameSite cookie attribute is used by browsers to control cookie requests and increase security. This article explains what the SameSite cookie attribute is and the different security levels to which it applies. It also describes upcoming changes to the Same Site attribute on Chrome and the new ‘Cookies without SameSite must be secure’ feature. Read More

Sven Morgenroth Talks About How Facebook Stored Millions of Passwords in Plain Text on Hack Naked News #212

Category: News - Last Updated: Thu, 16 May 2019 - by Netsparker Security Team
Sven Morgenroth Talks About How Facebook Stored Millions of Passwords in Plain Text on Hack Naked News #212

This article examines how Facebook has stored hundreds of millions of users’ passwords in plain text since 2012. On Hack Naked News #212, Netsparker security researcher Sven Morgenroth talks about the origin of this news story, the statistics involved, the security problems it has created for Facebook and its users, and what they can do about it. Read More

Content-Type and Status Code Leakage

Category: Web Security Readings - Last Updated: Tue, 14 May 2019 - by Ziyahan Albeniz
Content-Type and Status Code Leakage

This blog post explores the issue of content-type and status code leakage. It examines the meaning of HTTP status codes and their effect when used with HTML attributes. The typemuchmatch HTML attribute receives special attention. It also explains how to prevent data leaks, and emphasizes the importance of correct implementation. Read More

Ferruh Mavituna is Interviewed About Netsparker by Help Net Security

Category: News - Last Updated: Tue, 07 May 2019 - by Allen Baird
Ferruh Mavituna is Interviewed About Netsparker by Help Net Security

Ferruh Mavituna is interviewed about Netsparker by Help Net Security. The interview focuses on how Netsparker accurately identifies web application vulnerabilities without false positives using its unique Proof-Based technology, prioritizes fixes, prevents bottlenecks in development, discovers services, and deals with the growing problem of scalability. Read More

New OAuth2 Authentication Feature

Category: News - Last Updated: Wed, 24 Apr 2019 - by Huseyin Tufekcilerli

From March 2019, Netsparker Standard will support the OAuth2 authentication framework. This new feature means that users will now be able to configure scans for websites that require OAuth2 authentication. This is one of the March 2019 Updates for the new release of Netsparker Standard 5.3. Read More

Netsparker Will Be Sponsoring and Exhibiting at the PHPKonf 2019 in Istanbul

Category: Events - Last Updated: Thu, 11 Apr 2019 - by Daniel Bishtawi
Netsparker Will Be Sponsoring and Exhibiting at the PHPKonf 2019 in Istanbul

This May, our team will be exhibiting the Netsparker Web Application Security Scanner at PHPKonf 2019 in Istanbul. We are also sponsoring the event, and one of our security researchers is delivering a talk. Visit us to answer questions about automatically detecting vulnerabilities or to learn more about Netsparker, our dead accurate web security scanner. Read More

WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

Category: Web Security Readings - Last Updated: Tue, 09 Apr 2019 - by Ziyahan Albeniz
WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

This article discusses vulnerabilities in older versions of WordPress due to its pingback and trackback features, and flawed sanitizing mechanism. It describes how attackers can use HTML tags to bypass sanitizing and insert an XSS payload using the WordPress flaw. Finally, it concludes with advice on how to fix the vulnerability in WordPress. Read More

Announcing the Deobfuscating JavaScript White Paper

Category: Web Security Readings - Last Updated: Thu, 04 Apr 2019 - by Netsparker Security Team
Announcing the Deobfuscating JavaScript White Paper

This blog post announces the publication of a White Paper called Deobfuscating JavaScript Code: A Steam Phishing Website, which examines a real world example of obfuscation in a phishing page that aimed to steal Steam Account credentials. It charts the different phases and techniques used in the unobfuscation process, as the code is cleaned. Read More