Netsparker's Web Application Security Blog

September 2018 Update for Netsparker

Category: Releases - Last Updated: Tue, 25 Sep 2018 - by Robert Abela

This blog post announces new features, improvements, security checks, improvements and bug fixes in the latest Netsparker Desktop release of September 2018. Highlights include: a new bulk export to cloud feature, send to integration support for ServiceNow and custom field support for send to fields. Read More

How to Integrate Netsparker Cloud with Slack

Category: Product Docs & FAQS - Last Updated: Tue, 25 Sep 2018 - by Duran Serkan Kilic

Slack is a team messaging system that facilitates communication in enterprise teams with a series of channels. This topic explains how to integrate Netsparker Cloud with Slack, manage integrations, configure a notification to report security issues to a Slack channel or Direct Message (DM) and view notifications while creating a scan. Read More

Working with Custom Report Policies in Netsparker

Category: Product Docs & FAQS - Last Updated: Mon, 24 Sep 2018 - by Seyhan Bakir

This blog post describes and explains Custom Report Policies and how to create them. Two significant report customisations are possible: excluding a vulnerability from the web security Scan Report and changing the Severity Level of a vulnerability. Excluding a vulnerability means that the vulnerability is not reported in the scan results or report. Read More

Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Category: Web Security Readings - Last Updated: Tue, 18 Sep 2018 - by Robert Abela
Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Watch episode #572 of Enterprise Security Weekly in which Sven Morgenroth, one of Netsparker's Security Researchers, talks about data types and type comparisons in PHP. Sven then demonstrates vulnerabilities that can arise due to loose PHP comparisons, including Authentication Bypasses, crypto-related flaws and Hashing Algorithm Disclosure. Read More

Vulnerability Assessments and Penetration Tests – What's the Difference?

Category: Web Security Readings - Last Updated: Thu, 06 Sep 2018 - by Dawn Baird
Vulnerability Assessments and Penetration Tests – What's the Difference?

This blog examines the difference between vulnerability assessments and penetration tests by defining both, and explaining the different results each produces. It also contains advice as to which approach your organization should adopt, and the scenarios that help determine this choice. There's guidance on which to use and how much it might cost. Read More

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Category: Web Security Readings - Last Updated: Thu, 30 Aug 2018 - by Ziyahan Albeniz
Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

In this blog post, our Security Researcher Ziyahan Albeniz examines the latest Chrome release, which makes secure web connections the new standard by checking the validity of secure TLS certificates. This article examines encryption keys, certificates and certificate authorities, HSTS, HPKP, SRI and CSP, and concludes with some code examples. Read More

Exploiting a Microsoft Edge Vulnerability to Steal Files

Category: Web Security Readings - Last Updated: Wed, 01 Aug 2018 - by Ziyahan Albeniz

This blog post documents our Security Researcher Ziyahan Albeniz's experiment in exploiting a Microsoft Edge browser vulnerability. He explains how a combination of SOP, the ability to email clickable links and a vulnerability in both the Windows Mail and Calendar applications actually enable the exploit. It includes his Proof of Exploit video. Read More

Ferruh Explains Why Web Application Security Automation is a Must in Enterprises

Category: Web Security Readings - Last Updated: Wed, 25 Jul 2018 - by Dawn Baird

Watch episode #98 of Enterprise Security Weekly, in which Ferruh Mavituna, our CEO, talks about penetration testing versus dynamic scanning tools, such as Netsparker; the differences between Waterfall and Agile methodologies; addressing vulnerabilities early in the SDLC; static integration; accuracy and trust; bug bounties; and workflow management. Read More

What is an osquery Injection and How Does it Work?

Category: Web Security Readings - Last Updated: Thu, 19 Jul 2018 - by Omer Citak

This blog post examines osquery, a framework that enables developers to write SQL-based queries that explore system data. It includes instructions for how to install osquery on the Ubuntu operating system. It also explores what osquery allows you to do and concludes with an examination of the osquery library and injection. Read More

Ferruh Mavituna Interviewed About Web App Security by Byron Acohido

Category: News - Last Updated: Thu, 28 Jun 2018 - by Robert Abela

Ferruh Mavituna is interviewed about the growing success of Netsparker, and how Netsparker has anticipated and adapted to some of the largest trends in the digital transformation. Netsparker's focus on web apps, cloud based environments, and scanning to scale, all contribute to its success, as well as its core focus on automation and accuracy. Read More

Sumeru Solutions – Netsparker Case Study

Category: News - Last Updated: Thu, 21 Jun 2018 - by Robert Abela

Sumeru Solutions is an software development company that makes banking and information security solutions, and mobile apps. They selected Netsparker to automate and speed up their web scanning processes because of its rapid configurability, ease of use, reliability, lack of false positives, and ability to handle a larger range and scale of products. Read More