Netsparker's Web Application Security Blog

Netsparker Announces New JIRA Issue Synchronization Feature

Category: News - Last Updated: Wed, 23 Jan 2019 - by Gokhan Demir

Netsparker announces a new feature for Netsparker Enterprise that provides integration for resolving and reactivating JIRA issues according to scan result, in addition to automatic issue creation. Netsparker Enterprise achieves this new support for further issue synchronization by webhook support, which detects status changes in your JIRA issues. Read More

Netsparker Announces New FogBugz Issue Synchronization Feature

Category: News - Last Updated: Wed, 23 Jan 2019 - by Gokhan Demir

Netsparker announces a new feature for Netsparker Enterprise that provides integration for resolving and reactivating FogBugz issues according to scan result, in addition to automatic issue creation. Netsparker Enterprise achieves this by webhook support, which detects status changes in your FogBugz issues. Read More

New Vulnerability Families Feature

Category: News - Last Updated: Tue, 22 Jan 2019 - by Huseyin Tufekcilerli

From December 2018, Netsparker will report similar vulnerabilities in groups rather than individually. This means that vulnerability reports will be shorter, simpler and more accurate. It also means that the task of fixing vulnerabilities will take less time and effort. Read More

Why Framework Choice Matters in Web Application Security

Category: Web Security Readings - Last Updated: Thu, 10 Jan 2019 - by Ferruh Mavituna
Why Framework Choice Matters in Web Application Security

Our CEO, Ferruh Mavituna, explains why the framework you choose for your web applications matters. Even if you build the most secure application, when your framework is vulnerable, your application is too. He debunks some myths regarding the similarity of popular frameworks, and provides good reasons to check whether yours is secure by default. Read More

Netsparker Terminates Support for TLS 1.0

Category: Product Docs & FAQS - Last Updated: Thu, 10 Jan 2019 - by Netsparker Security Team

Netsparker will no longer support TLS 1.0 from 14 January 2019. This will affect all HTTPS traffic to Netsparker, including: software updates, the licensing process for Netsparker and vulnerability database updates. Netsparker requests that all users encountering issues should update their settings or contact Netsparker Support. Read More

December 2018 Update for Netsparker Standard

Category: Releases - Last Updated: Thu, 10 Jan 2019 - by Netsparker Security Team

This blog post announces the new features and improvements in the latest Netsparker Standard release of December 2018. Highlights include: a rewritten sitemap and issues panel, a new family vulnerabilities feature, added support for 64-bit smart card drivers and Swagger 3.0 Importer, and several send to integration additions. Read More

Clickjacking Attack on Facebook: How a Tiny Attribute Can Save the Corporation

Category: Web Security Readings - Last Updated: Fri, 04 Jan 2019 - by Ziyahan Albeniz
Clickjacking Attack on Facebook: How a Tiny Attribute Can Save the Corporation

This article explains the origins of the Clickjacking Attack and how it works. It then examines how a researcher discovered a Clickjacking bug on Facebook and how Facebook responded to the Clickjacking attack. Finally, the article provides advice on how to prevent Clickjacking Attacks by using the X-Frame-Options HTTP security header. Read More

Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul's Security Weekly Podcast

Category: Web Security Readings - Last Updated: Thu, 20 Dec 2018 - by Allen Baird
Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul's Security Weekly Podcast

In episode #584 of Paul's Security Weekly, Sven Morgenroth, a Netsparker security researcher, discusses PHP Object injection vulnerabilities and explains the dangers of PHP's unserialize function. Sven provides background on PHP Objects, demos how to write an exploit for a PHP Object Injection vulnerability, and explains how to prevent them. Read More

End of Support for PHP 5 and PHP 7.0

Category: Web Security Readings - Last Updated: Tue, 18 Dec 2018 - by Allen Baird
End of Support for PHP 5 and PHP 7.0

At the end of 2018, PHP will stop security updates and support for some of its previous versions. This will expose hundreds of millions of websites to serious risk in terms of sites hacked, user details stolen, and massive fines. You need to update, and use systems that allow you to deploy only new versions of PHP by default. Read More

Netsparker Announces New Application & Websites Discovery Service

Category: News - Last Updated: Tue, 11 Dec 2018 - by Dawn Baird

Netsparker announces a new feature for Netsparker Enterprise that acts as an application and service discovery tool. Netsparker Radar – Application & Service Discovery Service enables you to locate your enterprise's online collateral, websites and services, which you can then add to Netsparker to scan, helping you reduce threats and increase security. Read More

Netsparker and GitLab Integration

Category: News - Last Updated: Tue, 11 Dec 2018 - by Robert Abela
Netsparker and GitLab Integration

Netsparker announces a new integration capability between Netsparker Enterprise and GitLab. GitLab is a web-based Git repository manager that provides CI/CD pipeline features, enabling you to add CI configuration to your source control using just one file, and gain access to our advanced integration functionality. Read More

Tabnabbing Protection Bypass

Category: Web Security Readings - Last Updated: Thu, 06 Dec 2018 - by Ziyahan Albeniz
Tabnabbing Protection Bypass

This blog post includes a discussion of URLs, their structure, how they can contain sensitive information and why it's so difficult to parse them without introducing vulnerabilities. We include an example of how a parsing error led to a Window Opener Protection Bypass. Read More

Bypass of Disabled System Functions

Category: Web Security Readings - Last Updated: Tue, 04 Dec 2018 - by Netsparker Security Team
Bypass of Disabled System Functions

In this article, our Security Researchers examine the explicit code of the disabled system functions bypass, including the parameters of the imap_oprn function, the IMAP server types and SSH connection, and the -oProxyCommand in the exploit. They conclude with some methods to protect yourself against this bypass method. Read More