The DAST-first mindset: A CISO’s perspective

The level of accuracy and automation of modern DAST platforms allows security leaders to make an outside-in approach the foundation of risk-based application security. Welcome to CISO’s Corner, and le...

Meet the future of AppSec: DAST-first application security

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all A...

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summa...

Top 10 dynamic application security testing (DAST) tools for 2025

This guide explores the top 10 DAST tools for 2025, highlighting enterprise-grade solutions as well as open-source options. Learn how these tools help detect vulnerabilities, integrate with DevSecOps,...

Missing X-Frame-Options header? You should be using CSP anyway

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding <code>X-Frame-Options</code> as a dedicated security header for controlling page embedding permissions....

First tokens: The Achilles’ heel of LLMs

The Assistant Prefill feature available in many LLMs can leave models vulnerable to safety alignment bypasses (aka jailbreaking). This article builds on prior research to investigate the practical asp...

Missing HTTP security headers: Avoidable risk, easy fix

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far mo...

DAST vs. penetration testing: Key similarities and differences

Automated vulnerability scanning with DAST tools and manual penetration testing are two distinct approaches to application security testing. Though the two are closely related and sometimes overlap, t...

What is vulnerability scanning and how do web vulnerability scanners work?

Vulnerability scanning is a fundamental cybersecurity practice for automating security testing. Especially in application security, it’s crucial to have a good vulnerability scanner that can automatic...

Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security

Security vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form...

What your vulnerability scanner won’t find: Limitations of automated testing

Wed, 30 Apr 2025

Even the best security scanners can’t always find everything—and there are many reasons why. Explore the types of vulnerabilities that might evade automated security testing, learn how to mitigate hidden risks, and see how a DAST-first approach minimizes your real-life exposure.

Vulnerable Web Applications on Developers, Computers Allow Hackers to Bypass Corporate Firewalls

Thu, 20 Jul 2017

A detailed explanation with examples of how malicious hackers can attack vulnerable web applications typically running on developers computers to bypass firewalls and hack other web applications on the local network.

Discussing Web Vulnerability Scanning in Continuous Integration on Enterprise Security Weekly

Fri, 14 Jul 2017

Netsparker CEO Ferruh Mavituna talks about the role and importance of automated web vulnerability scanning in continuous integration environments during episode 53 of Enterprise Security Weekly.

Collision Based Hashing Algorithm Disclosure

Wed, 10 Jan 2018

This detailed article explains how you can use the Collision Based Hashing Algorithm Disclosure method to check if the target web application uses the weak SHA-1 hashing algorithm to hash the users’ passwords.

The Advantage of Heuristic Over Signature Based Web Vulnerability Scanners

Thu, 29 Jun 2017

This article explains how both the heuristic and signature based web application security scanners work. It also explains the pros and cons of both types of scanners.

Infosecurity Europe 2017 Tech Talk: Scaling-Up & Automating Web Application Security

Tue, 20 Jun 2017

Watch our CEO’s tech talk about the challenges of automating and scaling-up web application security. Ferruh delivered this presentation at Infosecurity Europe 2017, one of Europe’s biggest IT security conferences.

XSS, CSRF & Other Vulnerabilities in CubeCart Web Application

Fri, 12 Jan 2018

This article explains in details the various vulnerabilities Netsparker’s security researchers identified in CubeCart, an open source ecommerce solution.

Demo: Exploiting a Blind XSS & Second Order SQL Injection

Thu, 11 May 2017

How you can disable directory listing on your web server—and why you should

Wed, 01 May 2024

Preventing Cross-site Scripting Vulnerabilities When Developing Ruby on Rails Web Applications

Wed, 19 Apr 2017

This article uses examples to explain how to develop secure web applications in Ruby on Rails that are not vulnerable to cross-site scripting vulnerabilities.

Course: Introduction to Web Application Penetration Testing

Mon, 22 May 2017

This detailed course explains the different stages of a thorough web application security and penetration test. Using both videos and slides, this course is ideal for anyone who would like to get started with web application security and using an automated web vulnerability scanner.

What is an open redirection vulnerability and how to prevent it

Fri, 19 Jul 2019

How I Hacked my Smart TV from My Bed via a Command Injection

Thu, 06 Apr 2017

This article explains how I was able to exploit a command injection vulnerability in my Smart TV and use Netcat to gain remote shell access on the TV set.