Server-Side Template Injection Introduction & Example Thu, 12 Jul 2018 This article introduces Server Side Templates and explains why and how they can be susceptible to Server-Side Template Injection vulnerabilities. It includes examples of HTML, PHP and CSS code and concludes with a list of recommendations on how to protect your web applications from attacks that exploit SSTI vulnerabilities.
Type Juggling Authentication Bypass Vulnerability in CMS Made Simple Mon, 09 Jul 2018 Our researcher, Sven Morgenroth, explains how he found an Authentication Bypass in CMS Made Simple, what PHP Type Juggling is, and why you should never use the unserialize function together with user-supplied input.
Why You Should Never Pass Untrusted Data to Unserialize When Writing PHP Code Thu, 29 Mar 2018 Unserialize is a PHP function that, while often classified as a security risk, is seldom defined. This article explains the vulnerability and contains a PHP Classes Crash Course that includes properties and ‘magic methods’. It uses examples to illustrate the basic concepts of Deserialization, PHP Object Injection and Class Autoloading in PHP.
GDPR Article 32: Security of Data Processing Wed, 28 Feb 2018 This article provides a short introduction to Article 32 of the General Data Protection Regulation (GDPR), the latest EU regulation which deals with the security of Personal Data Processing. It also includes some practical suggestions for keeping organizations’ personal data secure.
Application Level Denial of Service – A Comprehensive Guide Fri, 19 Jan 2018 Application level Denial of Service attacks are designed to render systems unresponsive, denying the services for users. They are notoriously difficult to detect & prevent and underestimated. This comprehensive guide explains how to identify and remove the conditions necessary for DoS attacks.
Second-Order Remote File Inclusion (RFI) Vulnerability Introduction & Example Thu, 11 Jan 2018 This article provides an introduction to the Second-Order Remote File Inclusion (RFI) vulnerability, with an example, and explains how Netsparker can detect it.
The Equifax Breach – The Signs Were There Thu, 21 Sep 2017 A detailed report detailing about Equifax was hacked, including quotes from David Hoyt, the security researcher who identified and reported vulnerabilities on the Equifax website months before the data breach happened.
Missed Black Hat or DEF CON? We’ve got you covered Thu, 24 Aug 2017 If you missed Blackhat and Def Con this year do not worry. Our security researcher Sven Morgenroth has just compiled a list of the best talks that took place during this year’s conferences in Las Vegas.
