Web Application Security Zone by Netsparker

How the POODLE Attack Spelled the End of SSL 3.0

Category: Web Security Readings - Last Updated: Fri, 03 Jul 2020 - by Zbigniew Banach
How the POODLE Attack Spelled the End of SSL 3.0

The POODLE attack exploits protocol fallback from TLS to SSL 3.0 to reveal information from encrypted HTTPS communication. Discovered in 2014, this network attack demonstrated that SSL 3.0 should never be used again, not even as a legacy fallback. This article provides a high-level overview of the POODLE vulnerability and the fate of SSL 3.0. Read More

How to Ensure REST API Security

Category: Web Security Readings - Last Updated: Fri, 19 Jun 2020 - by Zbigniew Banach
How to Ensure REST API Security

Web application programming interfaces (APIs) provide the back end for modern web and mobile applications and account for over 80% of all web traffic. REST APIs are the most common type of web API for web services, so let’s see what you can do to ensure REST API security. Read More

Bridging the Cybersecurity Skills Gap

Category: Web Security Readings - Last Updated: Fri, 12 Jun 2020 - by Zbigniew Banach
Bridging the Cybersecurity Skills Gap

The global cybersecurity skills shortage is no secret. Analysts estimate that by 2021, over 4 million cybersecurity jobs will be unfilled. With cybercrime continually on the rise and information security high on the agenda of organizations, the demand for cybersecurity professionals keeps growing. The cybersecurity skills gap is real and it’s here to stay – so what can you do? Read More

What Are Format String Vulnerabilities?

Category: Web Security Readings - Last Updated: Thu, 07 May 2020 - by Zbigniew Banach
What Are Format String Vulnerabilities?

Format strings are used in many programming languages to insert values into a text string. In some cases, this mechanism can be abused to perform buffer overflow attacks, extract information or execute arbitrary code. Let’s take a closer look at format string vulnerabilities and see why they exist. Read More

How to Measure Time to Value in Web Application Security

Category: Web Security Readings - Last Updated: Fri, 17 Apr 2020 - by Zbigniew Banach
How to Measure Time to Value in Web Application Security

When you deploy a web application security process, you need a way to track improvements and determine if your approach is bringing value to the organization. This post summarizes the key points from Enterprise Security Weekly #178, where Netsparker founder and CEO Ferruh Mavituna talked to Paul Asadoorian and Matt Alderman about measuring time to value and other aspects of web application security. Read More

XML External Entity (XXE) Attacks and How to Avoid Them

Category: Web Security Readings - Last Updated: Fri, 03 Apr 2020 - by Zbigniew Banach
XML External Entity (XXE) Attacks and How to Avoid Them

XXE injection attacks exploit support for XML external entities and are used against web applications that process XML inputs. Attackers can supply XML files with specially crafted DOCTYPE definitions to perform attacks including denial of service, server-side request forgery (SSRF), or even remote code execution. Let’s see how XXE injection attacks work, why they are possible, and what you can do to prevent them. Read More

Cybersecurity During the COVID-19 Pandemic

Category: Web Security Readings - Last Updated: Mon, 30 Mar 2020 - by Zbigniew Banach
Cybersecurity During the COVID-19 Pandemic

The coronavirus outbreak has sent the world into chaos, and cybercriminals were quick to exploit this opportunity. Malware, scams, and phishing attacks related to the COVID-19 crisis are all on the rise, as are cyberattacks on healthcare providers. Here is our view of the current cybersecurity situation and our advice on staying secure during this exceptional time. Read More

Using Content Security Policy (CSP) to Secure Web Applications

Category: Web Security Readings - Last Updated: Fri, 27 Mar 2020 - by Zbigniew Banach
Using Content Security Policy (CSP) to Secure Web Applications

Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other client-side attacks that rely on executing malicious content in the context of a trusted web page. This article shows how to use CSP headers to protect websites against XSS attacks and other attempts to bypass same-origin policy. Read More