Missing X-Frame-Options header? You should be using CSP anyway

Fri, 07 Mar 2025

When clickjacking attacks using iframes first became possible, browser vendors reacted by adding X-Frame-Options as a dedicated security header for controlling page embedding permissions. Learn how setting the right Content Security Policy makes up for a missing X-Frame-Options header today.

SQL Injection Prevention Techniques for Ruby on Rails Web Applications

Wed, 14 Dec 2016

This article looks into several techniques which Ruby on Rails developers can use to develop web applications that are not vulnerable to the notorious SQL injection vulnerability.

Remote Code Evaluation (Execution) Vulnerability

Tue, 01 Nov 2016

This article explains what the Remote Code Evaluation (execution) vulnerability is and how attackers can exploit it. The article also explains of what you should do as a developer to prevent this vulnerability.

Paul’s Security Weekly #483 – Netsparker CEO Talks on CSRF, WAFs, Selenium and CSP

Mon, 10 Oct 2016

Ferruh Mavituna, Netsparker’s CEO and founder talks at length about web application security testing, the SQL Injection vulnerability and the security standard Content Security Policy (CSP) in the popular podcast Paul’s Security Weekly, episode number 483.

Exploiting a CSRF Vulnerability in MongoDB Rest API

Fri, 23 Sep 2016

This article explains how attackers can exploit a Cross-site Request Forgery (CSRF) vulnerability in the MongoDB REST API to extract data from the database of the vulnerable database management system.

CRLF injection, HTTP response splitting, and HTTP header injection vulnerabilities

Thu, 23 May 2019

What is a local file inclusion vulnerability?

Fri, 10 May 2019

What is the command injection vulnerability?

Thu, 04 Jul 2019

Yandex Browser Vulnerability Allows Attackers to Steal Victim’s Browsing Data

Tue, 09 Aug 2016

This post explains how a malicious hacker can exploit a CSRF vulnerability in the Yandex browser that would allow them to get hold of the victim’s confidential browsing data, including bookmarks, browsing history and also saved usernames and passwords.

Web Application Security and the SDLC Discussed on the Virtualization and Cloud Security Podcast

Mon, 22 May 2017

Ferruh Mavituna, Netsparker’s CEO talks about web application security automation and scalability with Edward Haletky in episode 17 of the Virtualizastion and Cloud Security Podcast.

Subresource Integrity (SRI) for Validating Web Resources Hosted on Third Party Services (CDNs)

Wed, 29 Jun 2016

This article explains what is Subresource Integrity (SRI), how it works and how it helps web application developers ensure a more secure web environment especially when hosting resources on third party servers and services such as Content Delivery Networks (CDNs).

Web Application Security Basics – Keeping All Your Software Up To Date