Netsparker's Web Application Security Blog

Can Vulnerability Scanning Replace Penetration Testing?

Category: Web Security Readings - Last Updated: Fri, 28 Feb 2020 - by Zbigniew Banach
Can Vulnerability Scanning Replace Penetration Testing?

At first glance, penetration testing and vulnerability scanning appear to be two different names for the same basic task: finding vulnerabilities. Under pressure to reduce costs, businesses may be tempted to replace penetration testers with ever-improving vulnerability scanning solutions. In reality, vulnerability scanning and penetration testing are two very different processes, and each is vital to ensure accurate vulnerability assessments and maintain a solid security posture. Let’s have a closer look at both approaches and see how they can be combined to maximize web application security. Read More

How Blind SQL Injection Works

Category: Web Security Readings - Last Updated: Fri, 21 Feb 2020 - by Zbigniew Banach
How Blind SQL Injection Works

Blind SQL injection is a type of SQL injection attack where the attacker indirectly discovers information by analyzing server reactions to injected SQL queries, even though injection results are not visible. Blind SQL injection attacks are used against web applications that are vulnerable to SQL injection but don’t directly reveal information. While more time-consuming than regular SQL injection, blind SQL injection attacks can be automated to map out the database structure and extract sensitive information from the database server. Read More

WAF Identifier Security Check

Category: Product Docs & FAQS - Last Updated: Wed, 19 Feb 2020 - by Selman Genc
WAF Identifier Security Check

Netsparker web application security scanners use many security checks to detect vulnerabilities in a scan. The Netsparker Standard 5.6 January 2020 Update introduced a new WAF Identifier security check that is enabled by default. Read More

The Challenges of Ensuring IoT Security

Category: Web Security Readings - Last Updated: Fri, 14 Feb 2020 - by Zbigniew Banach
The Challenges of Ensuring IoT Security

It’s no secret that cybersecurity and the Internet of Things don’t go well together. Thousands of IoT devices are finding their ways into homes, businesses, and many other areas of our lives, but security is rarely high on device manufacturers’ list of priorities. With no industry standards for architecture or security, devices often use custom-built operating systems and proprietary communication protocols. Internet of Things security remains a veritable minefield, and problems with IoT cyberattacks and malware can only continue to grow along with the number of devices. So why is it so hard to secure IoT devices, and what can we do about it? Read More

Form Authentication OTP Support

Category: Product Docs & FAQS - Last Updated: Wed, 12 Feb 2020 - by Can Fill
Form Authentication OTP Support

The Netsparker Standard 5.5 November 2019 Update introduced support for form authentication using an OTP, including from a QR code. This enables you to use two alternative methods of two-factor authentication for your website applications. Read More

The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet

Category: Web Security Readings - Last Updated: Fri, 07 Feb 2020 - by Zbigniew Banach
The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet

The Heartbleed bug is a critical buffer over-read flaw in several versions of the OpenSSL library that can reveal unencrypted information from the system memory of a server or client running a vulnerable version of OpenSSL. Attacks can reveal highly sensitive data, such as login credentials, TLS private keys, and personal information. Let's take a closer look at one of the most serious and widespread security vulnerabilities in web history and see how just one buggy line of code could wreak havoc across the world. Read More

Using a Cybersecurity Framework for Web Application Security

Category: Web Security Readings - Last Updated: Fri, 31 Jan 2020 - by Zbigniew Banach
Using a Cybersecurity Framework for Web Application Security

A cybersecurity framework is a comprehensive set of guidelines that help organizations define cybersecurity policies to assess their security posture and increase resilience in the face of cyberattacks. Cybersecurity frameworks formally define security controls, risk assessment methods, and appropriate safeguards to protect information systems and data from cyberthreats. This article looks at the reasons for using a cybersecurity framework and shows how you can find best-practice cybersecurity processes and actions to apply to web application security. Read More

Announcing the Netsparker Whitepaper: False Positives in Web Application Security – Facing the Challenge

Category: Web Security Readings - Last Updated: Thu, 23 Jan 2020 - by Netsparker Team
Announcing the Netsparker Whitepaper: False Positives in Web Application Security – Facing the Challenge

The fast pace of modern web application development requires automated tools for vulnerability scanning and management, and false positives in vulnerability scan results can have a serious impact on the performance of security teams. This whitepaper discusses the many problems that false positives can bring all across the organization and shows how Netsparker’s Proof-Based Scanning™ technology can help to restore confidence in automated vulnerability scanning, improve workflow automation and web application security, and achieve real business benefits. Read More

January 2020 Update for Netsparker Enterprise

Category: Releases - Last Updated: Mon, 20 Jan 2020 - by Gokhan Demir
January 2020 Update for Netsparker Enterprise

This blog post announces the January 2020 update for Netsparker Enterprise. Highlights include a new Kenna integration, OTP support for Form Authentication, filtering support for new notifications, integration support for GitHub, and new Max Uploaded File Size and About page settings. Read More

How the BEAST Attack Works

Category: Web Security Readings - Last Updated: Fri, 17 Jan 2020 - by Zbigniew Banach
How the BEAST Attack Works

BEAST, or Browser Exploit Against SSL/TLS, was an attack that allowed a man-in-the-middle attacker to uncover information from an encrypted SSL/TLS 1.0 session by exploiting a known theoretical vulnerability. The threat prompted browser vendors and web server administrators to move to TLS v1.1 or higher and implement additional safeguards. Although no modern web browser remains vulnerable, the BEAST attack shows how a minor theoretical vulnerability can be combined with other weaknesses to craft a practical attack. This article looks at how the BEAST attack worked, why it was possible, and how it was eventually mitigated. Read More

Netsparker Terminates Support for TLS 1.1

Category: Product Docs & FAQS - Last Updated: Fri, 17 Jan 2020 - by Netsparker Security Team

Netsparker will no longer support TLS 1.1 from 26 December 2019. This will affect all HTTPS traffic to Netsparker, including: software updates, the licensing process for Netsparker and vulnerability database updates. Netsparker requests that all users encountering issues should update their settings or contact Netsparker Support. Read More

System Hardening for Your Web Applications

Category: Web Security Readings - Last Updated: Tue, 14 Jan 2020 - by Zbigniew Banach
System Hardening for Your Web Applications

System hardening is the practice of securing a computer system by reducing its attack surface. This includes removing unnecessary services and unused software, closing open network ports, changing default settings, and so on. For web applications, the attack surface is also affected by the configuration of all underlying operating systems, databases, network devices, application servers, and web servers. This article examines approaches to system hardening and shows what security measures you can apply to keep your web applications safe. Read More

BREACH Attack Security Check

Category: Releases - Last Updated: Wed, 08 Jan 2020 - by Allen Baird
BREACH Attack Security Check

Netsparker web application security scanners use a wide and ever growing range of security checks to test for vulnerabilities in a scan. The Netsparker Standard 5.5 November 2019 Update introduced a new BREACH Attack security check that is enabled by default. Read More

CWE/SANS Top 25 Software Errors for 2019

Category: Web Security Readings - Last Updated: Fri, 03 Jan 2020 - by Zbigniew Banach
CWE/SANS Top 25 Software Errors for 2019

In September 2019, a new CWE/SANS Top 25 Most Dangerous Software Errors list was published for the first time since 2011. Unlike previous lists, it was calculated by analyzing reported vulnerabilities to determine underlying weaknesses, so it is especially valuable for developers and software security professionals. This article looks at the top-rated software weaknesses and shows how they apply in practice to web application security. Read More