Web Application Security Zone by Netsparker

What is a Man-in-the-Middle Attack and How To Avoid It?

Category: Web Security Readings - Last Updated: Thu, 11 Jul 2019 - by Netsparker Security Team
What is a Man-in-the-Middle Attack and How To Avoid It?

Man-in-the-Middle (MiTM) attacks are a way for hackers to steal information. This article explains how MiTM and sniffing attacks differ. It lists three areas where MiTM attacks occur – public networks, personal computers and home routers. It describes the stages and techniques of how MiTM attacks work. Finally, it provides tips on avoiding attacks. Read More

The Problem of String Concatenation and Format String Vulnerabilities

Category: Web Security Readings - Last Updated: Thu, 27 Jun 2019 - by Sven Morgenroth
The Problem of String Concatenation and Format String Vulnerabilities

String concatenation and format string vulnerabilities are a problem in many programming languages. This blog post explains the basics of string concatenation and insecure string concatenation functions in C. It then examines format string vulnerabilities, how they appear in different web applications, and their relation to XSS vulnerabilities. Read More

Announcing the Enterprise Web Security Best Practices Whitepaper

Category: Web Security Readings - Last Updated: Fri, 14 Jun 2019 - by Netsparker Security Team
Announcing the Enterprise Web Security Best Practices Whitepaper

This blog post announces the publication of a whitepaper by Netsparker on Enterprise Web Security Best Practices: How To Build a Successful Security Process. This whitepaper provides instructions on how to build and scale a successful security process. Included is a best practices workflow compiled from industry leaders from years of experience. Read More

Ferruh Mavituna Talks About Discovering Websites on Business Security Weekly #129

Category: Web Security Readings - Last Updated: Tue, 11 Jun 2019 - by Allen Baird
Ferruh Mavituna Talks About Discovering Websites on Business Security Weekly #129

Netsparker CEO Ferruh Mavituna is interviewed on Business Security Weekly about the importance of an asset discovery service. He discusses the need for a multi-layered approach, the place of discovery in the SDLC, the use of Netsparker as a pre-purchase software check, the importance of visibility and accountability, and the need for automation. Read More

Frame Injection Attacks

Category: Web Security Readings - Last Updated: Thu, 30 May 2019 - by Ziyahan Albeniz
Frame Injection Attacks

This blog post examines Frame Injection attacks. It describes briefly the history of the invention and development of frames, what Frame Injection attacks and hijacks mean in terms of security, and what you can do to prevent them. It also compares Frame Injection attacks with Cross-site Scripting, which is often a priority for bug bounty hunters. Read More

SameSite Cookies by Default in Chrome 76 and Above

Category: Web Security Readings - Last Updated: Fri, 24 May 2019 - by Ziyahan Albeniz
SameSite Cookies by Default in Chrome 76 and Above

The SameSite cookie attribute is used by browsers to control cookie requests and increase security. This article explains what the SameSite cookie attribute is and the different security levels to which it applies. It also describes upcoming changes to the Same Site attribute on Chrome and the new ‘Cookies without SameSite must be secure’ feature. Read More

Content-Type and Status Code Leakage

Category: Web Security Readings - Last Updated: Tue, 14 May 2019 - by Ziyahan Albeniz
Content-Type and Status Code Leakage

This blog post explores the issue of content-type and status code leakage. It examines the meaning of HTTP status codes and their effect when used with HTML attributes. The typemuchmatch HTML attribute receives special attention. It also explains how to prevent data leaks, and emphasizes the importance of correct implementation. Read More

WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

Category: Web Security Readings - Last Updated: Tue, 09 Apr 2019 - by Ziyahan Albeniz
WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)

This article discusses vulnerabilities in older versions of WordPress due to its pingback and trackback features, and flawed sanitizing mechanism. It describes how attackers can use HTML tags to bypass sanitizing and insert an XSS payload using the WordPress flaw. Finally, it concludes with advice on how to fix the vulnerability in WordPress. Read More

Announcing the Deobfuscating JavaScript White Paper

Category: Web Security Readings - Last Updated: Thu, 04 Apr 2019 - by Netsparker Security Team
Announcing the Deobfuscating JavaScript White Paper

This blog post announces the publication of a White Paper called Deobfuscating JavaScript Code: A Steam Phishing Website, which examines a real world example of obfuscation in a phishing page that aimed to steal Steam Account credentials. It charts the different phases and techniques used in the unobfuscation process, as the code is cleaned. Read More

Netsparker 5.3 – Scan Performance Upgrades

Category: Web Security Readings - Last Updated: Wed, 03 Apr 2019 - by Dogan Aydos

Netsparker 5.3 contains new scan performance upgrades that allocate computer resources better. Instead of users controlling concurrent activities, they are now controlled dynamically throughout the scan by Netsparker, based on the Requests Per Second. This will increase scan speed by allowing more activities simultaneously, without pauses or blocks. Read More

Application Security is Vital Throughout SDLC

Category: Web Security Readings - Last Updated: Tue, 02 Apr 2019 - by Ziyahan Albeniz
Application Security is Vital Throughout SDLC

Research shows that developers must be directed to write secure code and don’t have enough information about security, often copying and pasting code from the internet. This blogpost examines weak ways to store user passwords, warning that strong algorithms may not be enough for security, and provides advice on how to store passwords securely. Read More

Behind the Scenes of Onion Services

Category: Web Security Readings - Last Updated: Fri, 22 Mar 2019 - by Ziyahan Albeniz
Behind the Scenes of Onion Services

Tor is an anonymity network that provides so-called onion services so that users can hide their locations. This article explains how to start a Tor service and change your domain name. It examines research on the security risks of regular onion domains, the user habits on Tor services, and possible fixes and updates for security concerns. Read More

Transforming Self-XSS Into Exploitable XSS

Category: Web Security Readings - Last Updated: Thu, 14 Mar 2019 - by Ziyahan Albeniz
Transforming Self-XSS Into Exploitable XSS

This blog is describes an attempt by a security researcher to exploit a Cross-site Scripting (XSS) vulnerability. It explains the importance of template strings – including multi-line strings and tagged templates – in XSS filtering, how to overcome the document.domain issue, and the discovery and exploitation of Self-XSS, with reading suggestions. Read More