Author Archives Netsparker Security Team

The Low Orbit Ion Cannon (LOIC) is a network stress testing application for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks that has been used by hacktivists. This article describes how the LOIC works, its limitations, and why it is popular. Finally, it offers advice on how to defend against LOIC attacks. Read More

Anti-CSRF tokens protect against cross-site request forgery attacks. This article explains the basics of anti-CSRF tokens, including how to generate and verify them. It then describes anti-CSRF protection for specific forms and each request. Finally, it examines issues on CSRF protection, such Ajax, login and non-persisted tokens. Read More

Man-in-the-Middle (MiTM) attacks are a way for hackers to steal information. This article explains how MiTM and sniffing attacks differ. It lists three areas where MiTM attacks occur – public networks, personal computers and home routers. It describes the stages and techniques of how MiTM attacks work. Finally, it provides tips on avoiding attacks. Read More

This blog post announces the publication of a whitepaper by Netsparker on Enterprise Web Security Best Practices: How To Build a Successful Security Process. This whitepaper provides instructions on how to build and scale a successful security process. Included is a best practices workflow compiled from industry leaders from years of experience. Read More

This month, Netsparker celebrates its 10th birthday. In those 10 years, we’ve grown into a market leader and have helped hundreds of organisations along the way. Our Netsparker editions have developed significantly in this decade to respond to different security threats and the need to scale up for enterprises. Thanks for joining us on the journey! Read More

This article examines how Facebook has stored hundreds of millions of users’ passwords in plain text since 2012. On Hack Naked News #212, Netsparker security researcher Sven Morgenroth talks about the origin of this news story, the statistics involved, the security problems it has created for Facebook and its users, and what they can do about it. Read More

This article explains the three different types of cross-site scripting (XSS) vulnerability. It also uses examples to highlight how attackers can exploit such vulnerability and what you, as a developer can do to prevent XSS Vulnerabilities in your web applications. Read More

This blog post announces the publication of a White Paper called Deobfuscating JavaScript Code: A Steam Phishing Website, which examines a real world example of obfuscation in a phishing page that aimed to steal Steam Account credentials. It charts the different phases and techniques used in the unobfuscation process, as the code is cleaned. Read More

We announce the Netsparker Standard 5.3 update, released in March 2019. Highlights are Scan Policies for PCI and OWASP Top Ten. Other new features are: Netsparker Assistant; scan performance upgrades; OAuth2 authentication; added Integration options for Azure DevOps, Redmine and Bugzilla; a Best Practice Severity Level; and RESTful API features. Read More

This blog post announces the publication of a Security of Cookies Whitepaper by Netsparker security researchers. The white paper discusses why cookies are used in applications, how they work, their attributes, and how to modify them. It analyzes the protection and security of session cookies, concluding with recommendations for extra measures. Read More

Web application security not only requires the detection of vulnerabilities but also their severity ranking. The Common Vulnerability Scoring System is an independent system that categorizes and grades vulnerabilities. This article examines the details of how CVSS works, provides examples, and explains how Netsparker uses CVSS in reports. Read More

This blog post discusses the problems with DNS requests, whether they can be blocked using a firewall and how they compare with HTTP. It also examines a DNS-based file system proposed by Ben Cox designed to store files in the caches of DNS resolvers. Read More

Netsparker will no longer support TLS 1.0 from 14 January 2019. This will affect all HTTPS traffic to Netsparker, including: software updates, the licensing process for Netsparker and vulnerability database updates. Netsparker requests that all users encountering issues should update their settings or contact Netsparker Support. Read More

This blog post announces the new features and improvements in the latest Netsparker Standard release of December 2018. Highlights include: a rewritten sitemap and issues panel, a new family vulnerabilities feature, added support for 64-bit smart card drivers and Swagger 3.0 Importer, and several send to integration additions. Read More

This article discusses research by Princeton and UC Berkeley on web-based attacks involving the Internet of Things (IoT) devices. These attacks were able to discover, hack and take control of IoT devices. We examine the duration and phases of these attacks, and conclude by suggesting some web security countermeasures. Read More

In this article, our Security Researchers examine the explicit code of the disabled system functions bypass, including the parameters of the imap_oprn function, the IMAP server types and SSH connection, and the -oProxyCommand in the exploit. They conclude with some methods to protect yourself against this bypass method. Read More

This article examines the latest attack vector to surface: using Google Bots. It examines how search engines sue bots to help index websites, explains how such attacks happen and how to counter them. Code samples are included. Read More

This blog examines incorrect CSP implementations on the New Yorker and Blogger, common issues in CSP implementations and solutions, how to determine if your CSP implementation is problematic and how to test it with the Report Only monitoring mode. It also lists CSP directives and their keywords, and how to use CSP correctly. Read More

Can private data be stolen by employing a CSS Injection? Why are hackers so determined? This article explores Cyber and Information Security expert Mike Gualtieri's experiments with CSS Exfil and the use of CSS Attribute Selectors. It concludes with a few pointers on how to avoid this type of attack and the need for a Content Security Policy. Read More

In this week's edition of our security roundup: why you should be careful what you put into your composer.json file, why you need to use a Package Manager, the Principle of Least Privilege and DNS Rebinding Read More