The DAST-first mindset: A CISO’s perspective

The level of accuracy and automation of modern DAST platforms allows security leaders to make an outside-in approach the foundation of risk-based application security. Welcome to CISO’s Corner, and le...

Meet the future of AppSec: DAST-first application security

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all A...

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summa...

Top 10 dynamic application security testing (DAST) tools for 2025

This guide explores the top 10 DAST tools for 2025, highlighting enterprise-grade solutions as well as open-source options. Learn how these tools help detect vulnerabilities, integrate with DevSecOps,...

Missing X-Frame-Options header? You should be using CSP anyway

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding <code>X-Frame-Options</code> as a dedicated security header for controlling page embedding permissions....

First tokens: The Achilles’ heel of LLMs

The Assistant Prefill feature available in many LLMs can leave models vulnerable to safety alignment bypasses (aka jailbreaking). This article builds on prior research to investigate the practical asp...

Missing HTTP security headers: Avoidable risk, easy fix

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far mo...

DAST vs. penetration testing: Key similarities and differences

Automated vulnerability scanning with DAST tools and manual penetration testing are two distinct approaches to application security testing. Though the two are closely related and sometimes overlap, t...

What is vulnerability scanning and how do web vulnerability scanners work?

Vulnerability scanning is a fundamental cybersecurity practice for automating security testing. Especially in application security, it’s crucial to have a good vulnerability scanner that can automatic...

Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security

Security vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form...

What your vulnerability scanner won’t find: Limitations of automated testing

Wed, 30 Apr 2025

Even the best security scanners can’t always find everything—and there are many reasons why. Explore the types of vulnerabilities that might evade automated security testing, learn how to mitigate hidden risks, and see how a DAST-first approach minimizes your real-life exposure.

Vulnerability Assessments and Penetration Tests – What’s the Difference?

Thu, 06 Sep 2018

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Thu, 30 Aug 2018

PHP Type Juggling Exploit: Vulnerability, Payloads, and Fixes

Wed, 22 Aug 2018

Leverage Browser Security Features to Secure Your Website

Tue, 14 Aug 2018

What the Reddit Hack Teaches Us About Web Security

Tue, 14 Aug 2018

State of Security for Open Source Web Applications 2018

Thu, 09 Aug 2018

Exploiting a Microsoft Edge Vulnerability to Steal Files

Wed, 01 Aug 2018

This blog post documents our Security Researcher Ziyahan Albeniz’s experiment in exploiting a Microsoft Edge browser vulnerability. He explains how a combination of SOP, the ability to email clickable links and a vulnerability in both the Windows Mail and Calendar applications actually enable the exploit. It includes his Proof of Exploit video.

Ferruh Explains Why Web Application Security Automation is a Must in Enterprises

Wed, 25 Jul 2018

Watch episode #98 of Enterprise Security Weekly, in which Ferruh Mavituna, our CEO, talks about penetration testing versus dynamic scanning tools, such as Netsparker; the differences between Waterfall and Agile methodologies; addressing vulnerabilities early in the SDLC; static integration; accuracy and trust; bug bounties; and workflow management.

What is an osquery Injection and How Does it Work?

Thu, 19 Jul 2018

Server-Side Template Injection Introduction & Example

Thu, 12 Jul 2018

This article introduces Server Side Templates and explains why and how they can be susceptible to Server-Side Template Injection vulnerabilities. It includes examples of HTML, PHP and CSS code and concludes with a list of recommendations on how to protect your web applications from attacks that exploit SSTI vulnerabilities.

Type Juggling Authentication Bypass Vulnerability in CMS Made Simple

Mon, 09 Jul 2018

Our researcher, Sven Morgenroth, explains how he found an Authentication Bypass in CMS Made Simple, what PHP Type Juggling is, and why you should never use the unserialize function together with user-supplied input.

Ferruh Mavituna Talks About Security in the SDLC on Paul’s Security Weekly Podcast

Thu, 17 May 2018

Watch episode #557 of Enterprise Security Weekly in which Ferruh Mavituna, Netsparker’s Founder and CEO, talks about the vital role of dynamic web application testing within the Software Development Life Cycle, the benefits and challenges of an early security focus, and Netsparker’s automation and integration facilities.