XSS filter evasion: Why filtering doesn’t stop cross-site scripting
Netsparker
by Zbigniew Banach
5d ago
XSS filter evasion covers many hundreds of methods that attackers can use to bypass cross-site scripting (XSS) filters. A successful attack requires both an XSS vulnerability and a way to inject malicious JavaScript into web page code executed by the client to exploit that vulnerability. The idea of XSS filtering is to prevent attacks by finding and blocking (or stripping away) any code that looks like an XSS attempt. The problem is there are countless ways of bypassing such filters, so filtering alone can never fully prevent XSS. Before going into just a few of the thousands of known filter e ..read more
Visit website
Polyfill supply-chain attack: What to do when your CDN goes evil
Netsparker
by Zbigniew Banach
2w ago
What you need to know:   On June 25, 2024, the cdn.polyfill.io domain started injecting malware into the popular polyfill.js library, estimated to be used by over 100,000 sites. On June 26, Cloudflare started automatically rewriting requests to cdn.polyfill.io and serving up their safe mirrored copy of the library. As of June 27, Invicti products include dedicated security checks to flag any use of polyfill.io in applications. The polyfill.io domain has been taken down (though it may still be cached) and there is no immediate risk of compromise, but all sites and applications that loade ..read more
Visit website
How to prevent XSS attacks
Netsparker
by Zbigniew Banach
3w ago
JavaScript has come a long way since being only lightly sprinkled on static HTML web pages to make them more dynamic. It is now a crucial building block of modern web applications, making cross-site scripting (XSS) a commonplace security vulnerability—and also making XSS attacks that much more impactful if they succeed. No longer restricted to providing some additional client-side functionality via a handful of scripts, JavaScript code can now run across the entire application stack, up to and including the server side with Node.js. Add to that the plethora of external dependencies loaded at r ..read more
Visit website
What the OWASP Top 10 for LLM applications tells us about generative AI security
Netsparker
by Zbigniew Banach
1M ago
The Open Web Application Security Project (OWASP) has compiled the Top 10 for LLM applications as another list-style awareness document to provide a systematic overview of the application security risks, this time in the rapidly growing realm of generative AI. While everyone is aware of some of the risks related to large language models (LLMs), few have a full picture of where AI security fits into cybersecurity overall. It’s common to see people either underestimating the risk (typically in the rush to deploy a new AI-enabled feature) or vastly overestimating it and dismissing anything that m ..read more
Visit website
Making sense of AppSec vs. DevSecOps
Netsparker
by Zbigniew Banach
1M ago
You may have seen, especially on social media, many “expert” opinions on cybersecurity that freely mix and match seemingly unrelated terms. In the field of application security specifically, you will see people asking about things like the difference between AppSec and DevSecOps—a really strange thing to ask until you realize that in some contexts, people can (and do) use the two interchangeably. The recent wave of AI-generated content only adds to the confusion and noise. So, at the risk of stating the obvious in places, let’s clear up the similarities, differences, and overlaps between AppSe ..read more
Visit website
How bad is a missing Content-Type header?
Netsparker
by Sven Morgenroth
1M ago
If it walks like a duck and quacks like a duck, it’s still not a duck unless it has an application/duck Content-Type header Web design was a lot simpler 20 years ago. You had an invisible table over the whole height and width of the page, a few GIF images, and optionally some HTML. There were very few options to make your page stand out, apart from flashy images and choosing a full-page red background color (and the trusty old <blink> tag). And yet, some crafty designers were able to use what they had at hand, invented some clever hacks to bend the clunky old browser features to their wi ..read more
Visit website
Why Predictive Risk Scoring is the smart way to do AI in application security
Netsparker
by Zbigniew Banach
2M ago
Invicti recently launched its Predictive Risk Scoring feature, which as a genuine industry first can generate accurate security risk predictions before vulnerability scanning even begins. To recap briefly, Predictive Risk Scoring uses a custom-built machine learning model that is trained on real-world vulnerability data (but not customer data), operated internally by Invicti, and can closely estimate the likely risk level of a site to aid prioritization.  Following up on our initial post introducing this new capability and its potential to bring a truly risk-driven approach to application ..read more
Visit website
Testing Cron JOBs
Netsparker
by Emre Yılmaz
2M ago
The post Testing Cron JOBs appeared first on Invicti ..read more
Visit website
What is DevSecOps and how is it evolving?
Netsparker
by Zbigniew Banach
2M ago
DevSecOps is a software development approach that aims to integrate security practices into DevOps processes. Implementing DevSecOps efficiently requires organizations to make security an integral part of software quality by using automated security tools in their CI/CD pipeline. Crucially, the DevSecOps approach to software development offers a way to embed application security into the entire development and operations process. With the right security tools built into the DevOps pipeline, you can make security an integral part of the software delivery processes and address security risks as ..read more
Visit website
AppSec prioritization goes proactive with AI-backed Predictive Risk Scoring
Netsparker
by Patrick Vandenberg
3M ago
Imagine you have to check for danger on the other side of an impassable mountain you cannot walk around. What would you do? A low-tech solution would be to tunnel through and have a look. Swing by swing with a pickaxe to break the stone, and then shovel by shovel to haul the broken rock away. You hope you will get there in the end, but it’s quite literally a mountain of a task. Even though you’re making progress, it’s a seemingly endless, taxing effort. Now, imagine you’re digging away, and someone comes to you with a high-tech solution: a camera drone. Boom—the task has been enormously simpli ..read more
Visit website

Follow Netsparker on FeedSpot

Continue with Google
Continue with Apple
OR