Web Application Security Zone by Netsparker

Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Category: Web Security Readings - Last Updated: Tue, 18 Sep 2018 - by Robert Abela

Watch episode #572 of Enterprise Security Weekly in which Sven Morgenroth, one of Netsparker's Security Researchers, talks about data types and type comparisons in PHP. Sven then demonstrates vulnerabilities that can arise due to loose PHP comparisons, including Authentication Bypasses, crypto-related flaws and Hashing Algorithm Disclosure. Read More

Vulnerability Assessments and Penetration Tests – What's the Difference?

Vulnerability Assessments and Penetration Tests – What's the Difference?

Category: Web Security Readings - Last Updated: Thu, 06 Sep 2018 - by Dawn Baird

This blog examines the difference between vulnerability assessments and penetration tests by defining both, and explaining the different results each produces. It also contains advice as to which approach your organization should adopt, and the scenarios that help determine this choice. There's guidance on which to use and how much it might cost. Read More

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Category: Web Security Readings - Last Updated: Thu, 30 Aug 2018 - by Ziyahan Albeniz

In this blog post, our Security Researcher Ziyahan Albeniz examines the latest Chrome release, which makes secure web connections the new standard by checking the validity of secure TLS certificates. This article examines encryption keys, certificates and certificate authorities, HSTS, HPKP, SRI and CSP, and concludes with some code examples. Read More

Leverage Browser Security Features to Secure Your Website

Leverage Browser Security Features to Secure Your Website

Category: Web Security Readings - Last Updated: Tue, 14 Aug 2018 - by Ziyahan Albeniz

On June 27, 2018 Ticketmaster UK announced a data breach incident. This time, one of JavaScript's unexpected limitations prevented a security incident – at least for Turkish users. This blog post discusses how leveraging browser security features, such as Subresource Integrity and Content Security Policy could have secured their website. Read More

What the Reddit Hack Teaches Us About Web Security

What the Reddit Hack Teaches Us About Web Security

Category: Web Security Readings - Last Updated: Tue, 14 Aug 2018 - by Ziyahan Albeniz

Reddit announced that they had been the victim of an elaborate hack. The attackers accessed email digests of August 2018 and the entire 2007 database backup which included old salted and hashed user passwords. They also compromised a few accounts of Reddit employees by intercepting the SMS used in 2FA. Read More

Exploiting a Microsoft Edge Vulnerability to Steal Files

Category: Web Security Readings - Last Updated: Wed, 01 Aug 2018 - by Ziyahan Albeniz

This blog post documents our Security Researcher Ziyahan Albeniz's experiment in exploiting a Microsoft Edge browser vulnerability. He explains how a combination of SOP, the ability to email clickable links and a vulnerability in both the Windows Mail and Calendar applications actually enable the exploit. It includes his Proof of Exploit video. Read More

Ferruh Explains Why Web Application Security Automation is a Must in Enterprises

Category: Web Security Readings - Last Updated: Wed, 25 Jul 2018 - by Dawn Baird

Watch episode #98 of Enterprise Security Weekly, in which Ferruh Mavituna, our CEO, talks about penetration testing versus dynamic scanning tools, such as Netsparker; the differences between Waterfall and Agile methodologies; addressing vulnerabilities early in the SDLC; static integration; accuracy and trust; bug bounties; and workflow management. Read More

What is an osquery Injection and How Does it Work?

Category: Web Security Readings - Last Updated: Thu, 19 Jul 2018 - by Omer Citak

This blog post examines osquery, a framework that enables developers to write SQL-based queries that explore system data. It includes instructions for how to install osquery on the Ubuntu operating system. It also explores what osquery allows you to do and concludes with an examination of the osquery library and injection. Read More

Server-Side Template Injection Introduction & Example

Category: Web Security Readings - Last Updated: Thu, 12 Jul 2018 - by Sven Morgenroth

This article introduces Server Side Templates and explains why and how they can be susceptible to Server-Side Template Injection vulnerabilities. It includes examples of HTML, PHP and CSS code and concludes with a list of recommendations on how to protect your web applications from attacks that exploit SSTI vulnerabilities. Read More

How Private Data Can Be Stolen with a CSS Injection

Category: Web Security Readings - Last Updated: Wed, 25 Apr 2018 - by Netsparker Security Team

Can private data be stolen by employing a CSS Injection? Why are hackers so determined? This article explores Cyber and Information Security expert Mike Gualtieri's experiments with CSS Exfil and the use of CSS Attribute Selectors. It concludes with a few pointers on how to avoid this type of attack and the need for a Content Security Policy. Read More

Netsparker Surveys US Based C-Levels on GDPR Compliance

Category: Web Security Readings - Last Updated: Thu, 12 Apr 2018 - by Robert Abela

GDPR, the new EU privacy regulations, applies to all businesses that handle the personal data (such as email addresses) of EU citizens. We surveyed over 300 US C-Level leaders to find out whether they were ready, how many new employees they needed, how much they were spending and the impact the regulations would have on data breaches. Read More

Introducing the Same-origin Policy Whitepaper

Category: Web Security Readings - Last Updated: Fri, 06 Apr 2018 - by Dawn Baird

This blog post outlines the contents of our Same-origin Policy Whitepaper: The Definitive Guide to Same-origin Policy. It includes a discussion of SOP misconceptions and implementations. It is jointly by Alex Baker, an independent Security Researcher, together with Ziyahan Albeniz and Emre Iyidogan, two of Netsparker's Security Researchers. Read More

Why You Should Never Pass Untrusted Data to Unserialize When Writing PHP Code

Category: Web Security Readings - Last Updated: Thu, 29 Mar 2018 - by Sven Morgenroth

Unserialize is a PHP function that, while often classified as a security risk, is seldom defined. This article explains the vulnerability and contains a PHP Classes Crash Course that includes properties and 'magic methods'. It uses examples to illustrate the basic concepts of Deserialization, PHP Object Injection and Class Autoloading in PHP. Read More

Facebook & Cambridge Analytica Data Breach

Category: Web Security Readings - Last Updated: Tue, 27 Mar 2018 - by Dawn Baird

This blog post examines the Facebook and Cambridge Analytica Data Breach news, asks what might change at Facebook and discusses whether users or organisations are responsible. It also examines whether data portability or security is the priority and sets out some basic questions web application vendors need to ask of their data security policies. Read More

Sven Morgenroth Explains & Demos Same-origin Policy and How to Circumvent it

Category: Web Security Readings - Last Updated: Thu, 22 Mar 2018 - by Robert Abela

Watch episode #550 of Enterprise Security Weekly in which Sven Morgenroth, our Security Researcher, talks about Same Origin Policy, its origin, how it works as a security measure, various incorrect implementation issues and dangers. The show includes slides and a demo of four exploits that abuse mistakes developers make when circumventing SOP. Read More

Ferruh Mavituna Talks About Web Security on Enterprise Security Weekly Podcast

Category: Web Security Readings - Last Updated: Thu, 15 Mar 2018 - by Robert Abela

Watch episode #81 of Enterprise Security Weekly in which Ferruh Mavituna, our CEO, talks about Netsparker's current focus, the role of web application vulnerabilities in data breaches, honesty in the web application security industry, dynamic and static analysis tools, enterprise requirements for scalability, IoT and his conference plans for April. Read More