Web Application Security Zone by Netsparker

How the BEAST Attack Works

Category: Web Security Readings - Last Updated: Fri, 17 Jan 2020 - by Zbigniew Banach
How the BEAST Attack Works

BEAST, or Browser Exploit Against SSL/TLS, was an attack that allowed a man-in-the-middle attacker to uncover information from an encrypted SSL/TLS 1.0 session by exploiting a known theoretical vulnerability. The threat prompted browser vendors and web server administrators to move to TLS v1.1 or higher and implement additional safeguards. Although no modern web browser remains vulnerable, the BEAST attack shows how a minor theoretical vulnerability can be combined with other weaknesses to craft a practical attack. This article looks at how the BEAST attack worked, why it was possible, and how it was eventually mitigated. Read More

System Hardening for Your Web Applications

Category: Web Security Readings - Last Updated: Tue, 14 Jan 2020 - by Zbigniew Banach
System Hardening for Your Web Applications

System hardening is the practice of securing a computer system by reducing its attack surface. This includes removing unnecessary services and unused software, closing open network ports, changing default settings, and so on. For web applications, the attack surface is also affected by the configuration of all underlying operating systems, databases, network devices, application servers, and web servers. This article examines approaches to system hardening and shows what security measures you can apply to keep your web applications safe. Read More

CWE/SANS Top 25 Software Errors for 2019

Category: Web Security Readings - Last Updated: Fri, 03 Jan 2020 - by Zbigniew Banach
CWE/SANS Top 25 Software Errors for 2019

In September 2019, a new CWE/SANS Top 25 Most Dangerous Software Errors list was published for the first time since 2011. Unlike previous lists, it was calculated by analyzing reported vulnerabilities to determine underlying weaknesses, so it is especially valuable for developers and software security professionals. This article looks at the top-rated software weaknesses and shows how they apply in practice to web application security. Read More

Season's Greetings

Category: Web Security Readings - Last Updated: Tue, 24 Dec 2019 - by Netsparker Team
Season's Greetings

The entire Netsparker team would like to wish you all the best in the upcoming holiday season. Whether you are celebrating Christmas, Hanukkah, Kwanzaa, Yule, Las Posadas, or simply taking the time off to rest, may you spend it with those who are closest to you. Read More

How DNS Cache Poisoning Attacks Work

Category: Web Security Readings - Last Updated: Fri, 13 Dec 2019 - by Zbigniew Banach
How DNS Cache Poisoning Attacks Work

DNS cache poisoning attacks try to fool applications into connecting to a malicious IP address by flooding a DNS resolver cache with fake addresses corresponding to requested domain names. If the attacker succeeds in filling the DNS cache with false data, the resolver might return a spoofed address instead of querying for the real one. As a result, the user might connect to a malicious site at the address returned from the cache. Let’s see why DNS spoofing is possible and how you can mitigate the threat. Read More

Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Category: Web Security Readings - Last Updated: Tue, 10 Dec 2019 - by Allen Baird
Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Netsparker CEO Ferruh Mavituna is interviewed on Enterprise Security Weekly about how to start building a realistic web security program in enterprises. He discusses the shift-left approach by which security is built into the application at an earlier stage, and how to reach this stage in a safe, prioritized and persuasive way. Read More

Understanding Reverse Shells

Category: Web Security Readings - Last Updated: Tue, 03 Dec 2019 - by Zbigniew Banach
Understanding Reverse Shells

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. Reverse shells can also work across a NAT or firewall. This article explains how reverse shells work in practice and what you can do to prevent them. Read More

Top 10 Cybersecurity Trends to Look Out For in 2020

Category: Web Security Readings - Last Updated: Tue, 19 Nov 2019 - by Zbigniew Banach
Top 10 Cybersecurity Trends to Look Out For in 2020

2019 has seen cybersecurity issues firmly take their place in the news, both for the technology industry and the general public. While organizations are increasingly aware of the importance of cybersecurity, most are struggling to define and implement the required security measures. In this article, we take a look at 10 cybersecurity trends that are likely to shape the cybersecurity landscape in 2020, from data breaches and IT security staff shortages to security automation and integration. Read More

Red Team Vs Blue Team Testing for Cybersecurity

Category: Web Security Readings - Last Updated: Thu, 14 Nov 2019 - by Zbigniew Banach
Red Team Vs Blue Team Testing for Cybersecurity

Red team versus blue team exercises simulate real-life cyberattacks against organizations to locate weaknesses and improve information security. In this wargaming approach, the red team are the attackers and they attempt to infiltrate an organization’s digital and physical defenses using any attack techniques available to real attackers. The blue team’s job is to detect penetration attempts and prevent exploitation. Red team vs blue team exercises can last several weeks and provide a realistic assessment of an organization’s security posture. Read More

Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Category: Web Security Readings - Last Updated: Thu, 07 Nov 2019 - by Zbigniew Banach
Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Static code analysis tools are used to automatically check source code for errors and security vulnerabilities, as well as ensure compliance with coding standards. While effective for some classes of vulnerabilities, they have a number of disadvantages and limitations, especially for web applications. Dynamic analysis solutions address many of these problems and can complement or replace static tools. This article looks at some of the shortcomings of static analysis and shows how deploying dynamic analysis tools can help you improve web application security. Read More

XSS Filter Evasion

Category: Web Security Readings - Last Updated: Thu, 24 Oct 2019 - by Zbigniew Banach
XSS Filter Evasion

XSS filter evasion refers to a variety of methods used by attackers to bypass Cross-Site Scripting filters. Attackers attempting to inject malicious JavaScript into web page code must not only exploit an application vulnerability, but also evade input validation and fool complex browser filters. This article looks at some common approaches to XSS filter evasion and shows what you can do to improve application security. Read More

Successfully Integrating Security into the Software Development Life Cycle

Category: Web Security Readings - Last Updated: Wed, 16 Oct 2019 - by Allen Baird
Successfully Integrating Security into the Software Development Life Cycle

It is vital that security measures, including web application security scanning, play an early role in the software development life cycle. This article summarizes a podcast discussion in which Netsparker CEO Ferruh Mavituna talks about the place of security testing in the SDLC and how companies can achieve this integration with maximum success. Read More

What Is DevSecOps: How to Incorporate Security into DevOps

Category: Web Security Readings - Last Updated: Thu, 10 Oct 2019 - by Zbigniew Banach
What Is DevSecOps: How to Incorporate Security into DevOps

DevSecOps, or Development, Security and Operations, is a software development methodology that integrates security checks and practices into DevOps processes. Implementing DevSecOps requires organizations to adopt a security-first mindset and use automated security validation in their DevOps pipeline. This article looks at the evolution of methodologies towards DevSecOps and shows what tools can be used to ensure security in agile web application development. Read More

5 Ways a Cyberattack Can Hurt Your Organization

Category: Web Security Readings - Last Updated: Wed, 02 Oct 2019 - by Zbigniew Banach
5 Ways a Cyberattack Can Hurt Your Organization

Cyberattacks are an inevitable part of everyday business for organizations of all sizes worldwide. Despite growing awareness of the consequences of a successful attack, many organizations still downplay the associated risks. A cyberattack can have devastating and long-lasting consequences for the entire organization, and in this article, we will look at 5 crucial ways that a cyberattack can hurt your business. Read More

What is Code Injection and How to Avoid It

Category: Web Security Readings - Last Updated: Fri, 27 Sep 2019 - by Zbigniew Banach
What is Code Injection and How to Avoid It

Code injection, also called Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and execute malicious code. Code is injected in the language of the targeted application and executed by the server-side interpreter. Any application that directly uses unvalidated input is vulnerable to code injection, and web applications are a prime target for attackers. This article shows how code injection vulnerabilities arise and how you can protect your web applications from injection. Read More

Why Websites Need HTTP Strict Transport Security (HSTS)

Category: Web Security Readings - Last Updated: Tue, 24 Sep 2019 - by Zbigniew Banach
Why Websites Need HTTP Strict Transport Security (HSTS)

HTTPS has become the protocol of choice for any serious website, but enforcing the use of HTTPS instead of HTTP requires the HTTP Strict Transport Security header, or HSTS. Using the HSTS header, the server informs the visiting browser that only the HTTPS version of the requested site is available, and plain HTTP will not be served. In this article, we will look at the history of HSTS, see how it works and how to set it up, and learn why using it can actually drive traffic to your website. Read More

7 Crucial Components of Cyber Incident Recovery

Category: Web Security Readings - Last Updated: Tue, 17 Sep 2019 - by Zbigniew Banach
7 Crucial Components of Cyber Incident Recovery

Organizations are consistently reporting increased numbers of cyber incidents, with data breaches and ransomware infections fast becoming a common occurrence. Solid security procedures and good planning can go a long way towards preventing many incidents but when things go wrong, you have to be prepared for recovery. In this article, we will look at 7 key aspects of planning for cyber incident recovery to maintain business continuity and minimize costly downtime. Read More

Goodbye XSS Auditor

Category: Web Security Readings - Last Updated: Wed, 04 Sep 2019 - by Sven Morgenroth
Goodbye XSS Auditor

Chrome has retired the XSS Auditor because of problems with bypasses and security issues. This article describes how the Auditor worked, how it was bypassed and how it began. It examines the XSS Auditor’s weaknesses and vulnerabilities – deactivatable security and information leaks it caused. Finally, it suggests a secure alternative for the XSS Auditor. Read More