Netsparker's Web Application Security Blog

Sven Morgenroth Talks About How Facebook Stored Millions of Passwords in Plain Text on Hack Naked News #212

Category: News - Last Updated: Thu, 16 May 2019 - by Netsparker Security Team
Sven Morgenroth Talks About How Facebook Stored Millions of Passwords in Plain Text on Hack Naked News #212

This article examines how Facebook has stored hundreds of millions of users’ passwords in plain text since 2012. On Hack Naked News #212, Netsparker security researcher Sven Morgenroth talks about the origin of this news story, the statistics involved, the security problems it has created for Facebook and its users, and what they can do about it. Read More

Content-Type and Status Code Leakage

Category: Web Security Readings - Last Updated: Tue, 14 May 2019 - by Ziyahan Albeniz
Content-Type and Status Code Leakage

This blog post explores the issue of content-type and status code leakage. It examines the meaning of HTTP status codes and their effect when used with HTML attributes. The typemuchmatch HTML attribute receives special attention. It also explains how to prevent data leaks, and emphasizes the importance of correct implementation. Read More

Ferruh Mavituna is Interviewed About Netsparker by Help Net Security

Category: News - Last Updated: Tue, 07 May 2019 - by Allen Baird
Ferruh Mavituna is Interviewed About Netsparker by Help Net Security

Ferruh Mavituna is interviewed about Netsparker by Help Net Security. The interview focuses on how Netsparker accurately identifies web application vulnerabilities without false positives using its unique Proof-Based technology, prioritizes fixes, prevents bottlenecks in development, discovers services, and deals with the growing problem of scalability. Read More

New OAuth2 Authentication Feature

Category: News - Last Updated: Wed, 24 Apr 2019 - by Huseyin Tufekcilerli

From March 2019, Netsparker Standard will support the OAuth2 authentication framework. This new feature means that users will now be able to configure scans for websites that require OAuth2 authentication. This is one of the March 2019 Updates for the new release of Netsparker Standard 5.3. Read More

Netsparker Will Be Sponsoring and Exhibiting at the PHPKonf 2019 in Istanbul

Category: Events - Last Updated: Thu, 11 Apr 2019 - by Daniel Bishtawi
Netsparker Will Be Sponsoring and Exhibiting at the PHPKonf 2019 in Istanbul

This May, our team will be exhibiting the Netsparker Web Application Security Scanner at PHPKonf 2019 in Istanbul. We are also sponsoring the event, and one of our security researchers is delivering a talk. Visit us to answer questions about automatically detecting vulnerabilities or to learn more about Netsparker, our dead accurate web security scanner. Read More

WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

Category: Web Security Readings - Last Updated: Tue, 09 Apr 2019 - by Ziyahan Albeniz
WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

This article discusses vulnerabilities in older versions of WordPress due to its pingback and trackback features, and flawed sanitizing mechanism. It describes how attackers can use HTML tags to bypass sanitizing and insert an XSS payload using the WordPress flaw. Finally, it concludes with advice on how to fix the vulnerability in WordPress. Read More

Announcing the Deobfuscating JavaScript White Paper

Category: Web Security Readings - Last Updated: Thu, 04 Apr 2019 - by Netsparker Security Team
Announcing the Deobfuscating JavaScript White Paper

This blog post announces the publication of a White Paper called Deobfuscating JavaScript Code: A Steam Phishing Website, which examines a real world example of obfuscation in a phishing page that aimed to steal Steam Account credentials. It charts the different phases and techniques used in the unobfuscation process, as the code is cleaned. Read More

Netsparker 5.3 – Scan Performance Upgrades

Category: Web Security Readings - Last Updated: Wed, 03 Apr 2019 - by Dogan Aydos

Netsparker 5.3 contains new scan performance upgrades that allocate computer resources better. Instead of users controlling concurrent activities, they are now controlled dynamically throughout the scan by Netsparker, based on the Requests Per Second. This will increase scan speed by allowing more activities simultaneously, without pauses or blocks. Read More

Application Security is Vital Throughout SDLC

Category: Web Security Readings - Last Updated: Tue, 02 Apr 2019 - by Ziyahan Albeniz
Application Security is Vital Throughout SDLC

Research shows that developers must be directed to write secure code and don’t have enough information about security, often copying and pasting code from the internet. This blogpost examines weak ways to store user passwords, warning that strong algorithms may not be enough for security, and provides advice on how to store passwords securely. Read More

March 2019 Update for Netsparker Standard

Category: Releases - Last Updated: Thu, 28 Mar 2019 - by Netsparker Security Team

This blog post announces the March 2019 update for Netsparker Standard. Highlights are Scan Policies for PCI and OWASP Top Ten. Other new features are: Netsparker Assistant; scan performance upgrades; OAuth2 authentication; added Integration options for Azure DevOps, Redmine and Bugzilla; a Best Practice Severity Level; and RESTful API features. Read More

Behind the Scenes of Onion Services

Category: Web Security Readings - Last Updated: Fri, 22 Mar 2019 - by Ziyahan Albeniz
Behind the Scenes of Onion Services

Tor is an anonymity network that provides so-called onion services so that users can hide their locations. This article explains how to start a Tor service and change your domain name. It examines research on the security risks of regular onion domains, the user habits on Tor services, and possible fixes and updates for security concerns. Read More

Transforming Self-XSS Into Exploitable XSS

Category: Web Security Readings - Last Updated: Thu, 14 Mar 2019 - by Ziyahan Albeniz
Transforming Self-XSS Into Exploitable XSS

This blog is describes an attempt by a security researcher to exploit a Cross-site Scripting (XSS) vulnerability. It explains the importance of template strings – including multi-line strings and tagged templates – in XSS filtering, how to overcome the document.domain issue, and the discovery and exploitation of Self-XSS, with reading suggestions. Read More

The End of CoinHive and the Rise of Cryptojacking

Category: Web Security Readings - Last Updated: Thu, 07 Mar 2019 - by Ziyahan Albeniz
The End of CoinHive and the Rise of Cryptojacking

Cryptojacking is the unauthorized use of a computer to mine cryptocurrency. This article traces the development of Cryptojacking from ByteCoin and Monero, used by the CoinHive service. It examines how Cryptojacking works, the latest research, and content security policy solutions that limit source loading and report Cryptojacking scripts. Read More

Sound Hijacking – Abusing Missing XFO

Category: Web Security Readings - Last Updated: Thu, 28 Feb 2019 - by Ziyahan Albeniz
Sound Hijacking – Abusing Missing XFO

This article examines a new attack on Google Docs called Sound Hijacking, which leads to the takeover of users’ audio input devices. We investigate how the attack works and conclude with an evaluation of the importance of the X-Frame-Options Header for the attack and information on which browsers support it. Read More

PCI Scanning Announcement

Category: News - Last Updated: Tue, 26 Feb 2019 - by Gokhan Demir

From February 2019, Netsparker Enterprise will be able to conduct fully approved compliance scans to check the security of your public websites against Payment Card Industry (PCI) Security Standards Council requirements. If your websites pass, you will receive a compliance report. PCI scans are managed alongside regular Enterprise security scans. Read More