The DAST-first mindset: A CISO’s perspective

The level of accuracy and automation of modern DAST platforms allows security leaders to make an outside-in approach the foundation of risk-based application security. Welcome to CISO’s Corner, and le...

Meet the future of AppSec: DAST-first application security

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all A...

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summa...

Top 10 dynamic application security testing (DAST) tools for 2025

This guide explores the top 10 DAST tools for 2025, highlighting enterprise-grade solutions as well as open-source options. Learn how these tools help detect vulnerabilities, integrate with DevSecOps,...

Missing X-Frame-Options header? You should be using CSP anyway

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding <code>X-Frame-Options</code> as a dedicated security header for controlling page embedding permissions....

First tokens: The Achilles’ heel of LLMs

The Assistant Prefill feature available in many LLMs can leave models vulnerable to safety alignment bypasses (aka jailbreaking). This article builds on prior research to investigate the practical asp...

Missing HTTP security headers: Avoidable risk, easy fix

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far mo...

DAST vs. penetration testing: Key similarities and differences

Automated vulnerability scanning with DAST tools and manual penetration testing are two distinct approaches to application security testing. Though the two are closely related and sometimes overlap, t...

What is vulnerability scanning and how do web vulnerability scanners work?

Vulnerability scanning is a fundamental cybersecurity practice for automating security testing. Especially in application security, it’s crucial to have a good vulnerability scanner that can automatic...

Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security

Security vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form...

What your vulnerability scanner won’t find: Limitations of automated testing

Wed, 30 Apr 2025

Even the best security scanners can’t always find everything—and there are many reasons why. Explore the types of vulnerabilities that might evade automated security testing, learn how to mitigate hidden risks, and see how a DAST-first approach minimizes your real-life exposure.

Ferruh Talks About Netsparker Hawk on Paul’s Security Weekly #506

Tue, 23 May 2017

In episode #506 of Paul’s Security Weekly, our founder and CEO Ferruh Mavituna explains how Netsparker Hawk detects out-of-band vulnerabilities in web applications.

Information Disclosure Vulnerability, Attacks, and Example

Wed, 19 Jun 2019

What is remote file inclusion?

Thu, 04 Jul 2019

What is SQL Injection?

Thu, 12 Oct 2017

What is SQL injection? The SQL injection vulnerability allows malicious hackers to inject arbitrary code in SQL queries, thus being able to directly retrieve and alter data stored in a website’s database.

Missing Function Level Access Control Vulnerabilities in Maian Support Helpdesk Allow Complete Take Over of the System

Wed, 22 Feb 2017

This article looks into the details of how malicious hackers can exploit a number of missing function level access control vulnerabilities to take over an installation of Maian Support Helpdesk, a web application developed in php.

Steam Gaming & Entertainment Platform Vulnerable to Cross-site Scripting Vulnerability

Thu, 09 Feb 2017

This article looks into the technical details of the cross-site scripting vulnerability (XSS) that the Steam entertainment platform was vulnerable to. It also explains how the attackers could exploit this vulnerability.

Keeping your Web applications in check with HIPAA compliance

Mon, 22 May 2017

HIPAA compliance is more than simply checking boxes and meeting the minimum audit requirements. You should ensure your web applications are secure and use the compliance act as a guideline.

Identifying WordPress Websites On Local Networks (behind Firewalls) and Bruteforcing the Login Pages

Mon, 22 May 2017

This article explains how attackers can use the XSHM attack to identify WordPress websites running on internal networks and behind firewalls, and also launch a login bruteforce attack against them.

SQL Injection Prevention Techniques for Ruby on Rails Web Applications

Wed, 14 Dec 2016

This article looks into several techniques which Ruby on Rails developers can use to develop web applications that are not vulnerable to the notorious SQL injection vulnerability.

Remote Code Evaluation (Execution) Vulnerability

Tue, 01 Nov 2016

This article explains what the Remote Code Evaluation (execution) vulnerability is and how attackers can exploit it. The article also explains of what you should do as a developer to prevent this vulnerability.

Paul’s Security Weekly #483 – Netsparker CEO Talks on CSRF, WAFs, Selenium and CSP

Mon, 10 Oct 2016

Ferruh Mavituna, Netsparker’s CEO and founder talks at length about web application security testing, the SQL Injection vulnerability and the security standard Content Security Policy (CSP) in the popular podcast Paul’s Security Weekly, episode number 483.

Exploiting a CSRF Vulnerability in MongoDB Rest API

Fri, 23 Sep 2016

This article explains how attackers can exploit a Cross-site Request Forgery (CSRF) vulnerability in the MongoDB REST API to extract data from the database of the vulnerable database management system.