Complimentary 90-day, on-prem license available for entities involved in Covid19 response.

Netsparker's Web Application Security Blog

What is Code Injection and How to Avoid It

Category: Web Security Readings - Last Updated: Fri, 27 Sep 2019 - by Zbigniew Banach
What is Code Injection and How to Avoid It

Code injection, also called Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and execute malicious code. Code is injected in the language of the targeted application and executed by the server-side interpreter. Any application that directly uses unvalidated input is vulnerable to code injection, and web applications are a prime target for attackers. This article shows how code injection vulnerabilities arise and how you can protect your web applications from injection. Read More

Why Websites Need HTTP Strict Transport Security (HSTS)

Category: Web Security Readings - Last Updated: Tue, 24 Sep 2019 - by Zbigniew Banach
Why Websites Need HTTP Strict Transport Security (HSTS)

HTTPS has become the protocol of choice for any serious website, but enforcing the use of HTTPS instead of HTTP requires the HTTP Strict Transport Security header, or HSTS. Using the HSTS header, the server informs the visiting browser that only the HTTPS version of the requested site is available, and plain HTTP will not be served. In this article, we will look at the history of HSTS, see how it works and how to set it up, and learn why using it can actually drive traffic to your website. Read More

September 2019 Update for Netsparker Enterprise

Category: Releases - Last Updated: Thu, 19 Sep 2019 - by Netsparker Security Team

This blog post announces the September 2019 update for Netsparker Enterprise. Highlights are support for internal agents and bulk operations, and new issues tracking integrations and API endpoints. Other new features are support for data exporting, a technical contact change option, scan conversion options, and new malware technology. Read More

7 Crucial Components of Cyber Incident Recovery

Category: Web Security Readings - Last Updated: Tue, 17 Sep 2019 - by Zbigniew Banach
7 Crucial Components of Cyber Incident Recovery

Organizations are consistently reporting increased numbers of cyber incidents, with data breaches and ransomware infections fast becoming a common occurrence. Solid security procedures and good planning can go a long way towards preventing many incidents but when things go wrong, you have to be prepared for recovery. In this article, we will look at 7 key aspects of planning for cyber incident recovery to maintain business continuity and minimize costly downtime. Read More

Goodbye XSS Auditor

Category: Web Security Readings - Last Updated: Wed, 04 Sep 2019 - by Sven Morgenroth
Goodbye XSS Auditor

Chrome has retired the XSS Auditor because of problems with bypasses and security issues. This article describes how the Auditor worked, how it was bypassed and how it began. It examines the XSS Auditor’s weaknesses and vulnerabilities – deactivatable security and information leaks it caused. Finally, it suggests a secure alternative for the XSS Auditor. Read More

Scaling-Up and Automating Web Application Security

Category: Web Security Readings - Last Updated: Tue, 03 Sep 2019 - by Allen Baird
Scaling-Up and Automating Web Application Security

This blog post summarizes a security talk given by CEO, Ferruh Mavituna, about scaling-up and automating web application security. Ferruh discusses the stages of vulnerability detection, website and vulnerability categories, the benefits and limits of automation, pre and post-scan challenges to automation, and the elimination of false positives. Read More

A Cyber Incident Response Plan for Your Web Applications

Category: Web Security Readings - Last Updated: Wed, 28 Aug 2019 - by Zbigniew Banach
A Cyber Incident Response Plan for Your Web Applications

With so many businesses dependent on web and cloud technologies, sooner or later every organization may need to handle a web cyber security incident. Having a cyber security incident response plan (IR plan) is crucial for maintaining business continuity and recording information to manage any incident and its aftermath. This article looks at how you can plan your web security incident responses, what threats you need to consider, and why having an effective and tested response plan is a necessity for modern organizations. Read More

Clickjacking Attacks: What They Are and How to Prevent Them

Category: Web Security Readings - Last Updated: Thu, 15 Aug 2019 - by Zbigniew Banach
Clickjacking Attacks: What They Are and How to Prevent Them

Clickjacking attacks attempt to trick the user into unintentionally clicking an unexpected web page element. Most clickjacking methods exploit vulnerabilities related to HTML iframes and prevention centers around preventing page framing. In this blog post, we will see how clickjacking works, how it can be prevented, and why this threat to application security is not going away any time soon. Read More

How Buffer Overflow Attacks Work

Category: Web Security Readings - Last Updated: Thu, 08 Aug 2019 - by Netsparker Team
How Buffer Overflow Attacks Work

A buffer overflow occurs when a program tries to write too much data into the buffer. This can cause the program to crash or to execute arbitrary code. Buffer overflow vulnerabilities exist only in low-level programming languages such as C with direct access to memory. However, they also affect the users of high-level web languages because the frameworks are often written in low-level languages. Read More

What Is Privilege Escalation and Why Is It Important?

Category: Web Security Readings - Last Updated: Fri, 02 Aug 2019 - by Zbigniew Banach
What Is Privilege Escalation and Why Is It Important?

This article explains what is privilege escalation, what are the types of privilege escalation (horizontal and vertical) and how can privilege escalation endanger your systems. It also examines typical privilege escalation scenarios and teaches you how you can protect user accounts in your systems and applications to maintain a good security posture. Read More

Man-in-the-Middle Attacks and How To Avoid Them

Category: Web Security Readings - Last Updated: Thu, 11 Jul 2019 - by Netsparker Security Team
Man-in-the-Middle Attacks and How To Avoid Them

Man-in-the-Middle (MiTM) attacks are a way for hackers to steal information. This article explains how MiTM and sniffing attacks differ. It lists three areas where MiTM attacks occur – public networks, personal computers and home routers. It describes the stages and techniques of how MiTM attacks work. Finally, it provides tips on avoiding attacks. Read More

Ferruh Mavituna is Interviewed About Netsparker by Enis Hulli, Host of Glocal

Category: News - Last Updated: Thu, 27 Jun 2019 - by Allen Baird
Ferruh Mavituna is Interviewed About Netsparker by Enis Hulli, Host of Glocal

Enis Hulli from Glocal interviews Netsparker CEO Ferruh Mavituna on what inspired him to start Netsparker, and the key points in Netsparker’s development from startup to market leader. Ferruh plots Netsparker’s target market, biggest competitors, current traction and future prospects. They also examine current security needs of tech companies. Read More

The Problem of String Concatenation and Format String Vulnerabilities

Category: Web Security Readings - Last Updated: Thu, 27 Jun 2019 - by Sven Morgenroth
The Problem of String Concatenation and Format String Vulnerabilities

String concatenation and format string vulnerabilities are a problem in many programming languages. This blog post explains the basics of string concatenation and insecure string concatenation functions in C. It then examines format string vulnerabilities, how they appear in different web applications, and their relation to XSS vulnerabilities. Read More