The DAST-first mindset: A CISO’s perspective

The level of accuracy and automation of modern DAST platforms allows security leaders to make an outside-in approach the foundation of risk-based application security. Welcome to CISO’s Corner, and le...

Meet the future of AppSec: DAST-first application security

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all A...

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summa...

Top 10 dynamic application security testing (DAST) tools for 2025

This guide explores the top 10 DAST tools for 2025, highlighting enterprise-grade solutions as well as open-source options. Learn how these tools help detect vulnerabilities, integrate with DevSecOps,...

Missing X-Frame-Options header? You should be using CSP anyway

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding <code>X-Frame-Options</code> as a dedicated security header for controlling page embedding permissions....

First tokens: The Achilles’ heel of LLMs

The Assistant Prefill feature available in many LLMs can leave models vulnerable to safety alignment bypasses (aka jailbreaking). This article builds on prior research to investigate the practical asp...

Missing HTTP security headers: Avoidable risk, easy fix

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far mo...

DAST vs. penetration testing: Key similarities and differences

Automated vulnerability scanning with DAST tools and manual penetration testing are two distinct approaches to application security testing. Though the two are closely related and sometimes overlap, t...

What is vulnerability scanning and how do web vulnerability scanners work?

Vulnerability scanning is a fundamental cybersecurity practice for automating security testing. Especially in application security, it’s crucial to have a good vulnerability scanner that can automatic...

Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security

Security vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form...

What your vulnerability scanner won’t find: Limitations of automated testing

Wed, 30 Apr 2025

Even the best security scanners can’t always find everything—and there are many reasons why. Explore the types of vulnerabilities that might evade automated security testing, learn how to mitigate hidden risks, and see how a DAST-first approach minimizes your real-life exposure.

Why Web Vulnerability Testing Needs to be Automated

Mon, 22 May 2017

There are several pitfalls in web application security and one of them is sticking to manual audits only. This blog posts highlights the benefits of automating the process of finding vulnerabilities and other security issues in modern web applications. It also looks into the common pitfalls encountered by web security specialists when trying to identify all web application vulnerabilities manually.

OWASP Top 10 2017 web application vulnerabilities

Mon, 18 Dec 2017

In this article, we look into all the vulnerabilities listed in the OWASP Top 10 list of most critical web application weaknesses for 2017.

An XSS Vulnerability is Worth up to $10,000 According to Google

Thu, 13 Jun 2013

Google are willing to pay up to $10,000 to anyone who discovers a cross-site scripting vulnerability in one of their web applications. Why are Google doing so? Definitely not by coincidence. By exploiting a cross-site scripting vulnerability a malicious hacker can easily gain administrative access on a web application, gain control over it and where possible infiltrate deeper into the corporate network. Read this blog post for more information about the impact an exploited XSS can have on your business.

The Dangerous Complexity of Web Application Security

Mon, 22 May 2017

Modern web applications are becoming so complex that it is virtually impossible to check every possible attack vector and ensure it is not vulnerable without using an automated tool, such as Netsparker Web Application Security Scanner. The same applies for the modern trend of web application vulnerabilities, some of them can only be reproduced using automated means. Hence why the more complex a web application is, the bigger the need to use an automated web vulnerability scanner to identify vulnerabilities before malicious hackers do.

How to choose the right web security scanner to reduce false negatives

Mon, 22 May 2017

What are false negatives and why can automated web application security scanners fail to detect a vulnerability? This post explains what false negatives are and what to look for when searching for an automated web vulnerability scanner to ensure that it detects all vulnerabilities without leaving security gaps for malicious attackers to exploit.

Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous?

Mon, 22 May 2017

In this web application security blog post, Robert Abela talks about a common misconception in the web security industry; are all vulnerabilities equally dangerous? Abela explains and answers this common misconception using an example with two of the most popular web application vulnerabilities typically listed in OWASP Top 10; Cross-site scripting (XSS) and SQL Injection.

Businesses Need Automated Web Application Security Scanners to Detect Web Vulnerabilities

Mon, 22 May 2017

This web application security articles highlights the reasons why businesses should use automated web application security scanners such as Netsparker to identify all vulnerabilities in their web applications. Automated web application security scanners can identify vulnerabilities from the OWASP Top 10 and much more, which are typically exploited by malicious hackers.

Are Hackers a Step Ahead? An Analysis using Web Application Vulnerabilities

Wed, 13 Sep 2017

In this analysis the Netsparker team used Netsparker Web Application Security Scanner to scan a number of popular open source web applications and identify vulnerabilities in them. The results are very shocking and explain why malicious hackers are always a step ahead of website owners. A vulnerability statistics infographic was also generated from the results.

How Netsparker solves the challenge of false positives in web vulnerability scans

Mon, 22 May 2017

This web application security blog post explains why false positives are still among the biggest problems of today’s web application vulnerability scanners. You will also learn what the Netsparker team has done to ensure that Netsparker’s web application security solution does not burden users with false positives in web application security scan results.

JavaScript Scope and IntenseDebate’s Privacy Problems

Tue, 26 Apr 2011

In this web application security article, Ferruh Mavituna, explains a security issue he identified in IntenseDebate online service that could allow attackers to access information about the logged-in session of the victim. Ferruh also suggests a number of remedies for this problem which every web application developer should know of.

SVN Digger – Better Wordlists for Forced Browsing with Netsparker Web Application Security Scanner

Mon, 11 Apr 2011

In this blog post we explain how we built a database of keywords which will be used in Netsparker Web Application Security Scanner when doing forced browsing security checks to try and identify hidden resources in web applications during a security scan.

XSS to Root in Apache Jira Incident

Mon, 22 May 2017

In this blog post we explain how malicious hackers hacked into the Apache Foundation web servers and gained root access. They started by exploiting a cross-site scripting vulnerability in a web application called Jira. We scanned Jira with Netsparker and detected all of the vulnerabilities the malicious hackers exploited and more. This incident should serve as an example to all corporations to use Netsparker Web Application Security Scanner to identify and close down web application vulnerabilities.