Author Archives Netsparker Security Team

In this article, our Security Researchers examine the explicit code of the disabled system functions bypass, including the parameters of the imap_oprn function, the IMAP server types and SSH connection, and the -oProxyCommand in the exploit. They conclude with some methods to protect yourself against this bypass method. Read More

This article examines the latest attack vector to surface: using Google Bots. It examines how search engines sue bots to help index websites, explains how such attacks happen and how to counter them. Code samples are included. Read More

This blog examines incorrect CSP implementations on the New Yorker and Blogger, common issues in CSP implementations and solutions, how to determine if your CSP implementation is problematic and how to test it with the Report Only monitoring mode. It also lists CSP directives and their keywords, and how to use CSP correctly. Read More

Can private data be stolen by employing a CSS Injection? Why are hackers so determined? This article explores Cyber and Information Security expert Mike Gualtieri's experiments with CSS Exfil and the use of CSS Attribute Selectors. It concludes with a few pointers on how to avoid this type of attack and the need for a Content Security Policy. Read More

In this week's edition of our security roundup: why you should be careful what you put into your composer.json file, why you need to use a Package Manager, the Principle of Least Privilege and DNS Rebinding Read More

In this week's edition of our security roundup: Thanks to Chrome's new Site Isolation feature, the X-Content-Type-Options header is more important than ever. Read More

In this week's edition of our security roundup: directory listings can lead to account takeover, accessibility and security of US government websites and certification authority with AlwaysOnSSL. Read More

In this week's edition of our security roundup: The Impact of Meltdown and Spectre On the Web and HTTP Verb Tampering and a phpMyAdmin Cross-Site Request Forgery. Read More

In this week's edition of our security roundup: HPKP and HSTS preload bypasses, a vBulletin LFI on Windows hosts and three creative sources of user input in order to exploit XSS vulnerabilities. Read More

A weekly security roundup by Netsparker for week 51 of 2017 - We examine the differences between the latest version of OWASP Top 10 and its predecessor. We also delve into the Mailspoilt vulnerability, security issues with EV Certificates and Google's .dev Support. Read More