Author Archives Zbigniew Banach

The POODLE attack exploits protocol fallback from TLS to SSL 3.0 to reveal information from encrypted HTTPS communication. Discovered in 2014, this network attack demonstrated that SSL 3.0 should never be used again, not even as a legacy fallback. This article provides a high-level overview of the POODLE vulnerability and the fate of SSL 3.0. Read More

Dynamic application security testing (DAST) for web applications has come a long way from its modest beginnings a decade ago. This article debunks the top 5 myths about DAST, as discussed by Netsparker CEO Ferruh Mavituna on Enterprise Security Weekly #188. Read More

Web application programming interfaces (APIs) provide the back end for modern web and mobile applications and account for over 80% of all web traffic. REST APIs are the most common type of web API for web services, so let’s see what you can do to ensure REST API security. Read More

Web application security is a complex and dynamic field of cybersecurity. Fortunately, there are a few things that you can do to bring quick and measurable improvements to your web application security posture. Read More

The global cybersecurity skills shortage is no secret. Analysts estimate that by 2021, over 4 million cybersecurity jobs will be unfilled. With cybercrime continually on the rise and information security high on the agenda of organizations, the demand for cybersecurity professionals keeps growing. The cybersecurity skills gap is real and it’s here to stay – so what can you do? Read More

Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. This article provides an overview of HTTP security headers, as presented by Netsparker security researcher Sven Morgenroth in a recent interview on Security Weekly. Read More

NoSQL injection vulnerabilities allow attackers to inject code into commands for databases that don’t use SQL queries, such as MongoDB. Let’s see how NoSQL injection differs from traditional SQL injection and what you can do to prevent it. Read More

Is it really so hard to write secure code? You’re probably asking yourself this question every time we get news of yet another high-profile vulnerability. What does it take to ensure web application security in the real world? Read More

Injection attacks exploit a variety of vulnerabilities to supply untrusted user input which the application then executes. Let’s take a look at our top 5 injection attacks to see how they work and what you can do to prevent them. Read More

Format strings are used in many programming languages to insert values into a text string. In some cases, this mechanism can be abused to perform buffer overflow attacks, extract information or execute arbitrary code. Let’s take a closer look at format string vulnerabilities and see why they exist. Read More

The Netsparker Web Application Advisory program provides vulnerability disclosures for open-source software. Let’s see how the program works and analyze two recent advisories to learn more about finding and fixing common security flaws. Read More

Web application security is a dynamic field of cybersecurity and it can be hard to keep track of changing technologies, security vulnerabilities, and attack vectors. Let’s take a look at 10 web application security best practices that can help you stay in control of your security risks. Read More

When you deploy a web application security process, you need a way to track improvements and determine if your approach is bringing value to the organization. This post summarizes the key points from Enterprise Security Weekly #178, where Netsparker founder and CEO Ferruh Mavituna talked to Paul Asadoorian and Matt Alderman about measuring time to value and other aspects of web application security. Read More

Social engineering, also called social hacking, includes all methods of breaching security by exploiting human nature rather than technology. Let’s take a look at some common social engineering attacks and see what we can all do to stop them. Read More

XXE injection attacks exploit support for XML external entities and are used against web applications that process XML inputs. Attackers can supply XML files with specially crafted DOCTYPE definitions to perform attacks including denial of service, server-side request forgery (SSRF), or even remote code execution. Let’s see how XXE injection attacks work, why they are possible, and what you can do to prevent them. Read More

The coronavirus outbreak has sent the world into chaos, and cybercriminals were quick to exploit this opportunity. Malware, scams, and phishing attacks related to the COVID-19 crisis are all on the rise, as are cyberattacks on healthcare providers. Here is our view of the current cybersecurity situation and our advice on staying secure during this exceptional time. Read More

Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other client-side attacks that rely on executing malicious content in the context of a trusted web page. This article shows how to use CSP headers to protect websites against XSS attacks and other attempts to bypass same-origin policy. Read More

LDAP injection attacks exploit input validation vulnerabilities to inject and execute queries to Lightweight Directory Access Protocol servers. LDAP services are crucial for the daily operation of many organizations, and a successful LDAP injection attack can provide valuable information for further attacks on databases and internal applications. This article looks at how LDAP injection works and shows how it can be prevented to improve web application security. Read More

Everyone is concerned about information security, data breaches, malware, and cyberattacks, but how do you actually measure an organization’s cybersecurity? How can you quantify the current state of cybersecurity and track improvements? Every cybersecurity program needs carefully defined cybersecurity metrics – performance indicators that provide meaningful and comparable values. This article shows how to define useful cybersecurity metrics, examines the benefits they can bring, and suggests a starter set of metrics for web application security. Read More

At first glance, penetration testing and vulnerability scanning appear to be two different names for the same basic task: finding vulnerabilities. Under pressure to reduce costs, businesses may be tempted to replace penetration testers with ever-improving vulnerability scanning solutions. In reality, vulnerability scanning and penetration testing are two very different processes, and each is vital to ensure accurate vulnerability assessments and maintain a solid security posture. Let’s have a closer look at both approaches and see how they can be combined to maximize web application security. Read More