HTTP security headers: An easy way to harden your web applications

Modern browsers and web servers support many HTTP headers that can greatly improve web application security to protect against clickjacking, cross-site scripting, and other common types of attacks. This post provides an overview of best-practice HTTP security headers that you should be setting in your websites and applications and shows how to use DAST to make sure you’re doing it right.

How to choose the right web security scanner to reduce false negatives

What are false negatives and why can automated web application security scanners fail to detect a vulnerability? This post explains what false negatives are and what to look for when searching for an automated web vulnerability scanner to ensure that it detects all vulnerabilities without leaving security gaps for malicious attackers to exploit.

Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous?

In this web application security blog post, Robert Abela talks about a common misconception in the web security industry; are all vulnerabilities equally dangerous? Abela explains and answers this common misconception using an example with two of the most popular web application vulnerabilities typically listed in OWASP Top 10; Cross-site scripting (XSS) and SQL Injection.

Businesses Need Automated Web Application Security Scanners to Detect Web Vulnerabilities

This web application security articles highlights the reasons why businesses should use automated web application security scanners such as Netsparker to identify all vulnerabilities in their web applications. Automated web application security scanners can identify vulnerabilities from the OWASP Top 10 and much more, which are typically exploited by malicious hackers.

Are Hackers a Step Ahead? An Analysis using Web Application Vulnerabilities

In this analysis the Netsparker team used Netsparker Web Application Security Scanner to scan a number of popular open source web applications and identify vulnerabilities in them. The results are very shocking and explain why malicious hackers are always a step ahead of website owners. A vulnerability statistics infographic was also generated from the results.

How Netsparker solves the challenge of false positives in web vulnerability scans

This web application security blog post explains why false positives are still among the biggest problems of today’s web application vulnerability scanners. You will also learn what the Netsparker team has done to ensure that Netsparker’s web application security solution does not burden users with false positives in web application security scan results.

JavaScript Scope and IntenseDebate’s Privacy Problems

In this web application security article, Ferruh Mavituna, explains a security issue he identified in IntenseDebate online service that could allow attackers to access information about the logged-in session of the victim. Ferruh also suggests a number of remedies for this problem which every web application developer should know of.

SVN Digger – Better Wordlists for Forced Browsing with Netsparker Web Application Security Scanner

In this blog post we explain how we built a database of keywords which will be used in Netsparker Web Application Security Scanner when doing forced browsing security checks to try and identify hidden resources in web applications during a security scan.

XSS to Root in Apache Jira Incident

In this blog post we explain how malicious hackers hacked into the Apache Foundation web servers and gained root access. They started by exploiting a cross-site scripting vulnerability in a web application called Jira. We scanned Jira with Netsparker and detected all of the vulnerabilities the malicious hackers exploited and more. This incident should serve as an example to all corporations to use Netsparker Web Application Security Scanner to identify and close down web application vulnerabilities.

WebRaider

WebRaider is a proof of concept tool to get reverse shell from an SQL Injection with one request, without using any extra channels such as TFTP or FTP to upload the initial payload.