The risks of doing vulnerability testing and management for compliance only

How We Found & Exploited a Layer 7 DoS Attack on FogBugz

Wed, 07 Feb 2018

This article examines how the specific application behaviour we reported finding in Fogbugz early in July 2017 was manipulated to overload systems leading to a DoS situation. Testing for this vulnerability involved checking HTTP status codes, response size and timing.

Netsparker’s Weekly Security Roundup 2018 – Week 04

Fri, 02 Feb 2018

In this week’s edition of our security roundup: Thanks to Chrome’s new Site Isolation feature, the X-Content-Type-Options header is more important than ever.

Application Level Denial of Service – A Comprehensive Guide

Fri, 19 Jan 2018

Application level Denial of Service attacks are designed to render systems unresponsive, denying the services for users. They are notoriously difficult to detect & prevent and underestimated. This comprehensive guide explains how to identify and remove the conditions necessary for DoS attacks.

Netsparker’s Weekly Security Roundup 2018 – Week 02

Wed, 17 Jan 2018

In this week’s edition of our security roundup: directory listings can lead to account takeover, accessibility and security of US government websites and certification authority with AlwaysOnSSL.

Netsparker’s Weekly Security Roundup 2018 – Week 01

Thu, 11 Jan 2018

In this week’s edition of our security roundup: The Impact of Meltdown and Spectre On the Web and HTTP Verb Tampering and a phpMyAdmin Cross-Site Request Forgery.

Second-Order Remote File Inclusion (RFI) Vulnerability Introduction & Example

Thu, 11 Jan 2018

This article provides an introduction to the Second-Order Remote File Inclusion (RFI) vulnerability, with an example, and explains how Netsparker can detect it.

Netsparker’s Weekly Security Roundup 2017 – Week 52

Mon, 08 Jan 2018

In this week’s edition of our security roundup: HPKP and HSTS preload bypasses, a vBulletin LFI on Windows hosts and three creative sources of user input in order to exploit XSS vulnerabilities.

ROBOT Attack Revives a 19-Year Old Vulnerability

Fri, 05 Jan 2018

The ROBOT Attack revives a 19-year old Oracle vulnerability first discovered and reported by Daniel Bleichenbacher in 1998. It involves sending Client Key Exchange messages with wrong paddings while a TLS-RSA handshake is being negotiated. Vulnerable servers then enabled hackers to decrypt ciphertext or sign data.

Podcast on CSP – The Last Line of XSS Defense

Tue, 05 Dec 2017

Watch episode #536 of Paul’s Security Weekly in which Sven Morgenroth, our security researcher, explains and shows how you can use Content Security Policy (CSP) to protect your website from cross-site scripting vulnerabilities.

Grammarly Vulnerability Allows Attackers To See Sensitive Data of Their Customers

Wed, 22 Nov 2017

Our security researcher discusses the potential implications of the cross-site request forgery (CSRF) issue found in Grammarly and the importance of cross-site request forgery protection.

Exploiting SSTI and XSS in the CMS Made Simple Web Application

Fri, 10 Nov 2017

Our Security Researcher found a vulnerability in a parameter in a URL in the address bar of the browser. Read more about how he did it, and how he was able to exploit it to carry out a few harmless changes.

Live Demo: Exploiting Apache Struts Vulnerabilities

Mon, 09 Oct 2017

Our CEO, Ferruh Mavituna, and Security Researcher, Sven Morgenroth, talk about the Equifax hack on Hack Naked News, and give a live demo of how to detect and exploit OGNL Expression Injection vulnerabilities in Apache Struts.