Web Application Security Zone by Netsparker

How Private Data Can Be Stolen with a CSS Injection

Category: Web Security Readings - Last Updated: Wed, 25 Apr 2018 - by Netsparker Security Team

Can private data be stolen by employing a CSS Injection? Why are hackers so determined? This article explores Cyber and Information Security expert Mike Gualtieri's experiments with CSS Exfil and the use of CSS Attribute Selectors. It concludes with a few pointers on how to avoid this type of attack and the need for a Content Security Policy. Read More

Netsparker Surveys US Based C-Levels on GDPR Compliance

Category: Web Security Readings - Last Updated: Thu, 12 Apr 2018 - by Robert Abela

GDPR, the new EU privacy regulations, applies to all businesses that handle the personal data (such as email addresses) of EU citizens. We surveyed over 300 US C-Level leaders to find out whether they were ready, how many new employees they needed, how much they were spending and the impact the regulations would have on data breaches. Read More

Introducing the Same-origin Policy Whitepaper

Category: Web Security Readings - Last Updated: Fri, 06 Apr 2018 - by Dawn Baird

This blog post outlines the contents of our Same-origin Policy Whitepaper: The Definitive Guide to Same-origin Policy. It includes a discussion of SOP misconceptions and implementations. It is jointly by Alex Baker, an independent Security Researcher, together with Ziyahan Albeniz and Emre Iyidogan, two of Netsparker's Security Researchers. Read More

Why You Should Never Pass Untrusted Data to Unserialize When Writing PHP Code

Category: Web Security Readings - Last Updated: Thu, 29 Mar 2018 - by Sven Morgenroth

Unserialize is a PHP function that, while often classified as a security risk, is seldom defined. This article explains the vulnerability and contains a PHP Classes Crash Course that includes properties and 'magic methods'. It uses examples to illustrate the basic concepts of Deserialization, PHP Object Injection and Class Autoloading in PHP. Read More

Facebook & Cambridge Analytica Data Breach

Category: Web Security Readings - Last Updated: Tue, 27 Mar 2018 - by Dawn Baird

This blog post examines the Facebook and Cambridge Analytica Data Breach news, asks what might change at Facebook and discusses whether users or organisations are responsible. It also examines whether data portability or security is the priority and sets out some basic questions web application vendors need to ask of their data security policies. Read More

Sven Morgenroth Explains & Demos Same-origin Policy and How to Circumvent it

Category: Web Security Readings - Last Updated: Thu, 22 Mar 2018 - by Robert Abela

Watch episode #550 of Enterprise Security Weekly in which Sven Morgenroth, our Security Researcher, talks about Same Origin Policy, its origin, how it works as a security measure, various incorrect implementation issues and dangers. The show includes slides and a demo of four exploits that abuse mistakes developers make when circumventing SOP. Read More

Ferruh Mavituna Talks About Web Security on Enterprise Security Weekly Podcast

Category: Web Security Readings - Last Updated: Thu, 15 Mar 2018 - by Robert Abela

Watch episode #81 of Enterprise Security Weekly in which Ferruh Mavituna, our CEO, talks about Netsparker's current focus, the role of web application vulnerabilities in data breaches, honesty in the web application security industry, dynamic and static analysis tools, enterprise requirements for scalability, IoT and his conference plans for April. Read More

GDPR Article 32: Security of Data Processing

Category: Web Security Readings - Last Updated: Wed, 28 Feb 2018 - by Sven Morgenroth

This article provides a short introduction to Article 32 of the General Data Protection Regulation (GDPR), the latest EU regulation which deals with the security of Personal Data Processing. It also includes some practical suggestions for keeping organizations' personal data secure. Read More

ROBOT Attack Revives a 19-Year Old Vulnerability

Category: Web Security Readings - Last Updated: Fri, 05 Jan 2018 - by Hakan Arici

The ROBOT Attack revives a 19-year old Oracle vulnerability first discovered and reported by Daniel Bleichenbacher in 1998. It involves sending Client Key Exchange messages with wrong paddings while a TLS-RSA handshake is being negotiated. Vulnerable servers then enabled hackers to decrypt ciphertext or sign data. Read More