Server-Side Template Injection Introduction & Example This article introduces Server Side Templates and explains why and how they can be susceptible to Server-Side Template Injection vulnerabilities. It includes examples of HTML, PHP and CSS code and concludes with a list of recommendations on how to protect your web applications from attacks that exploit SSTI vulnerabilities.
Type Juggling Authentication Bypass Vulnerability in CMS Made Simple Our researcher, Sven Morgenroth, explains how he found an Authentication Bypass in CMS Made Simple, what PHP Type Juggling is, and why you should never use the unserialize function together with user-supplied input.
Why You Should Never Pass Untrusted Data to Unserialize When Writing PHP Code Unserialize is a PHP function that, while often classified as a security risk, is seldom defined. This article explains the vulnerability and contains a PHP Classes Crash Course that includes properties and ‘magic methods’. It uses examples to illustrate the basic concepts of Deserialization, PHP Object Injection and Class Autoloading in PHP.
GDPR Article 32: Security of Data Processing This article provides a short introduction to Article 32 of the General Data Protection Regulation (GDPR), the latest EU regulation which deals with the security of Personal Data Processing. It also includes some practical suggestions for keeping organizations’ personal data secure.
Application Level Denial of Service – A Comprehensive Guide Application level Denial of Service attacks are designed to render systems unresponsive, denying the services for users. They are notoriously difficult to detect & prevent and underestimated. This comprehensive guide explains how to identify and remove the conditions necessary for DoS attacks.
Second-Order Remote File Inclusion (RFI) Vulnerability Introduction & Example This article provides an introduction to the Second-Order Remote File Inclusion (RFI) vulnerability, with an example, and explains how Netsparker can detect it.
The Equifax Breach – The Signs Were There A detailed report detailing about Equifax was hacked, including quotes from David Hoyt, the security researcher who identified and reported vulnerabilities on the Equifax website months before the data breach happened.
Missed Black Hat or DEF CON? We’ve got you covered If you missed Blackhat and Def Con this year do not worry. Our security researcher Sven Morgenroth has just compiled a list of the best talks that took place during this year’s conferences in Las Vegas.
Vulnerable Web Applications on Developers, Computers Allow Hackers to Bypass Corporate Firewalls A detailed explanation with examples of how malicious hackers can attack vulnerable web applications typically running on developers computers to bypass firewalls and hack other web applications on the local network.
