Select Page










The End of CoinHive and the Rise of Cryptojacking





The End of CoinHive and the Rise of Cryptojacking


Cryptojacking is the unauthorized use of a computer to mine cryptocurrency. This article traces the development of Cryptojacking from ByteCoin and Monero, used by the CoinHive service. It examines how Cryptojacking works, the latest research, and content security policy solutions that limit source loading and report Cryptojacking scripts.

Read More










What Impact Does the Autocomplete Feature Have on Web Security?





What Impact Does the Autocomplete Feature Have on Web Security?


The HTML autocomplete feature improves user experience but contains security risks. This blog post describes the technical elements of the autocomplete attribute, and provides examples of dangerous, improper usage. It concludes with research on the statistics of autocomplete failure in browser behaviour tests with some popular browsers.

Read More










Introducing the Security of Cookies Whitepaper




This blog post announces the publication of a Security of Cookies Whitepaper by Netsparker security researchers. The white paper discusses why cookies are used in applications, how they work, their attributes, and how to modify them. It analyzes the protection and security of session cookies, concluding with recommendations for extra measures.

Read More










Sound Hijacking – Abusing Missing XFO





Sound Hijacking – Abusing Missing XFO


This article examines a new attack on Google Docs called Sound Hijacking, which leads to the takeover of users’ audio input devices. We investigate how the attack works and conclude with an evaluation of the importance of the X-Frame-Options Header for the attack and information on which browsers support it.

Read More










PCI Scanning Announcement




From February 2019, Netsparker Enterprise will be able to conduct fully approved compliance scans to check the security of your public websites against Payment Card Industry (PCI) Security Standards Council requirements. If your websites pass, you will receive a compliance report. PCI scans are managed alongside regular Enterprise security scans.

Read More










Brave Browser Sacrifices Security





Brave Browser Sacrifices Security


Brave is a browser that blocks ads and website tracking to improve user privacy and security. This blog post describes a controversial update to Brave that contained a whitelist of tracking URLs, causing online discussions, and a temporary but active solution. This blog examines some key terms and suggests how Brave could learn from Firefox.

Read More










Phishing by Open Graph Protocol





Phishing by Open Graph Protocol


Open Graph Protocol (OGP) was introduced by Facebook to highlight shared links in social media platforms. Phishing attacks use OGP to deceive users into clicking links that redirect them to other websites. This blog post explains what the OGP looks like, discusses phishing attack research and finally lists some precautions to take against them.

Read More













Remote Hardware Takeover via Vulnerable Admin Software





Remote Hardware Takeover via Vulnerable Admin Software


This article focuses on new research into potential remote hardware takeover vulnerabilities in admin software. These vulnerabilities occur due to a lack of control mechanisms, which enables potential WebSocket Hijacking attacks. The article explains how these attacks work, how to prevent them, and the importance of a content security policy header.

Read More










Cross Site Cookie Manipulation





Cross Site Cookie Manipulation


This article examines the security of PHP’s session cookies in a shared hosting environment, and explains why a cryptographically secure, random session ID is not enough to prevent attacks. It explains how PHP handles cookies and how the session management feature initializes in PHP. Finally, it provides an attack demo and advice for prevention.

Read More










January 2019 Update for Netsparker Enterprise




This blog post announces the new features in the latest Netsparker Enterprise release of January 2019. Highlights include: the addition of a new Application/Service Discovery feature; JIRA, FogBugz, GitLab, Azure and Jenkins Integration features; Support for Advanced Scheduling Scenarios; and further Security Checks.

Read More










Netsparker Announces New JIRA Issue Synchronization Feature




Netsparker announces a new feature for Netsparker Enterprise that provides integration for resolving and reactivating JIRA issues according to scan result, in addition to automatic issue creation. Netsparker Enterprise achieves this new support for further issue synchronization by webhook support, which detects status changes in your JIRA issues.

Read More










Netsparker Announces New FogBugz Issue Synchronization Feature




Netsparker announces a new feature for Netsparker Enterprise that provides integration for resolving and reactivating FogBugz issues according to scan result, in addition to automatic issue creation. Netsparker Enterprise achieves this by webhook support, which detects status changes in your FogBugz issues.

Read More










CVSS: Characterizing and Scoring Vulnerabilities





CVSS: Characterizing and Scoring Vulnerabilities


Web application security not only requires the detection of vulnerabilities but also their severity ranking. The Common Vulnerability Scoring System is an independent system that categorizes and grades vulnerabilities. This article examines the details of how CVSS works, provides examples, and explains how Netsparker uses CVSS in reports.

Read More










New Vulnerability Families Feature




From December 2018, Netsparker will report similar vulnerabilities in groups rather than individually. This means that vulnerability reports will be shorter, simpler and more accurate. It also means that the task of fixing vulnerabilities will take less time and effort.

Read More










DNSFS: Is it Possible to Use DNS as a File System?





DNSFS: Is it Possible to Use DNS as a File System?


This blog post discusses the problems with DNS requests, whether they can be blocked using a firewall and how they compare with HTTP. It also examines a DNS-based file system proposed by Ben Cox designed to store files in the caches of DNS resolvers.

Read More













Why Framework Choice Matters in Web Application Security





Why Framework Choice Matters in Web Application Security


Our CEO, Ferruh Mavituna, explains why the framework you choose for your web applications matters. Even if you build the most secure application, when your framework is vulnerable, your application is too. He debunks some myths regarding the similarity of popular frameworks, and provides good reasons to check whether yours is secure by default.

Read More










Netsparker Terminates Support for TLS 1.0




Netsparker will no longer support TLS 1.0 from 14 January 2019. This will affect all HTTPS traffic to Netsparker, including: software updates, the licensing process for Netsparker and vulnerability database updates. Netsparker requests that all users encountering issues should update their settings or contact Netsparker Support.

Read More










December 2018 Update for Netsparker Standard




This blog post announces the new features and improvements in the latest Netsparker Standard release of December 2018. Highlights include: a rewritten sitemap and issues panel, a new family vulnerabilities feature, added support for 64-bit smart card drivers and Swagger 3.0 Importer, and several send to integration additions.

Read More













Source