The DAST-first mindset: A CISO’s perspective

The level of accuracy and automation of modern DAST platforms allows security leaders to make an outside-in approach the foundation of risk-based application security. Welcome to CISO’s Corner, and le...

Meet the future of AppSec: DAST-first application security

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all A...

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summa...

Top 10 dynamic application security testing (DAST) tools for 2025

This guide explores the top 10 DAST tools for 2025, highlighting enterprise-grade solutions as well as open-source options. Learn how these tools help detect vulnerabilities, integrate with DevSecOps,...

Missing X-Frame-Options header? You should be using CSP anyway

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding <code>X-Frame-Options</code> as a dedicated security header for controlling page embedding permissions....

First tokens: The Achilles’ heel of LLMs

The Assistant Prefill feature available in many LLMs can leave models vulnerable to safety alignment bypasses (aka jailbreaking). This article builds on prior research to investigate the practical asp...

Missing HTTP security headers: Avoidable risk, easy fix

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far mo...

DAST vs. penetration testing: Key similarities and differences

Automated vulnerability scanning with DAST tools and manual penetration testing are two distinct approaches to application security testing. Though the two are closely related and sometimes overlap, t...

What is vulnerability scanning and how do web vulnerability scanners work?

Vulnerability scanning is a fundamental cybersecurity practice for automating security testing. Especially in application security, it’s crucial to have a good vulnerability scanner that can automatic...

Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security

Security vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form...

How to scan for MongoDB injection vulnerabilities – and how to fix them

Thu, 15 Dec 2022

NoSQL injection attacks against MongoDB databases are a major threat to full-stack JavaScript applications. Invicti security engineer Özgür Dinç shows how to find MongoDB injection vulnerabilities with Invicti’s vulnerability scanner – and how to fix them.

How to Do a Controlled Web Security Scan with Netsparker Desktop

Tue, 23 May 2017

This FAQ explains how you can use the Controlled Scan feature in Netsparker Dekstop web application security scanner to scan a specific parameter or page on a target web application once it has been crawled.

Using Selenium and Netsparker for Manual Crawling of Web Applications

Tue, 23 May 2017

This FAQ explains how you can do a manual crawl of websites with Netsparker web application security scanner from Selenium recordings, which many use to test web applications’ functionality.

Troubleshooting Inconsistent Web Security Scan Results

Tue, 23 May 2017

Read this document to understand what can be the cause of inconsistent scan results and how to troubleshoot the issue and identify what could possibly causing such a problem.

Manual Crawling with Netsparker Desktop in Proxy Mode

Tue, 23 May 2017

This FAQ explains how to manually crawl a website with a web browser and then scan it for vulnerabilities with Netsparker Desktop web application security scanner.

How Can I Ensure That The Web Vulnerability Scanner Scanned All My Website?

Thu, 21 Jul 2016

This FAQ looks into a few different methods which you can use to ensure that the coverage of the web application security scanner was good and scanned all of your websites and web applications.

Using the HTTP Request Builder to Build & Send Individual HTTP Requests

Tue, 23 May 2017

The HTTP Request Builder is a penetration testing tool that you can use to build your own HTTP requests and do manual analysis of vulnerabilities and the target’s HTTP responses. It is typically used in advanced penetration tests.

Netsparker Enterprise Built-In Reports and Reporting Tool

Tue, 23 May 2017

This post gives an overview of the built-in reports which are available in Netsparker Enterprise and also the Reporting Tool, which allows you to generate statistics reports about vulnerabilities and websites.

Finding Vulnerabilities in RESTful Web Services Automatically with a Web Security Scanner

Tue, 23 May 2017

This article explains how you can use Netsparker web application security scanner to automatically scan and find vulnerabilities in RESTful web services.

Tailoring the Web Security Scan Reports to Match Your Organization’s Security Policies

Tue, 23 May 2017

This article explains how you can use the Report Policy Editor in Netsparker Desktop to customize the scanner’s scan results and reports so they match your organization’s security policies.

What Changed in the New PCI DSS 3.2?

Wed, 01 Jun 2016

PCI DSS 3.1 is soon being superseded by the new PCI DSS 3.2. This article gives an overview of what is new and what has changed in the new version of the popular regulatory compliance requirements.

Scanning multiple websites with Netsparker Desktop using the Command Line Interface

Tue, 23 May 2017

This document explains in an easy to follow step-by-step format how to scan multiple websites for security flaws using the command line interface of Netsparker Desktop web application security scanner.

Netsparker Desktop Command Line Interface and Arguments

Fri, 25 Aug 2017

An FAQ about the command line interface of Netsparker Desktop. The FAQ also explains all the different arguments that can be used and gives some examples as well.