Checking For Vulnerabilities in Path Fragments

Note: This article refers to an older version of Acunetix. Click here to download the latest version. Nowadays, more and more people are using URL rewrite techniques to increase their “friendliness” to both users and search engines. With URL rewrites, a URL like http://www.site.com/cms/product.php?action=buy&id=1 is typically rewritten to something like: http://www.site.com/buy/1. Prior to Acunetix Web […]

Read More →

There’s More to Web Security than Meets the Eye

When we talk about Web security, we typically think about the common OWASP-type elements: SQL injection, cross-site scripting, passwords, encryption and the like. That’s fine but those areas can’t be our only focus. There’s so much more to managing information risks that’s often overlooked. Ask any information security manager or compliance officer and they’ll likely […]

Read More →

To Validate or Not, Is That the Question?

Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had not manually validated every single finding in that regard. I […]

Read More →

Securing FTP Running on Your Web Server

I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party […]

Read More →

Good Web Security Tools and Why They Matter

Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. In fact, the quality of your tools for performing a site security audit will have […]

Read More →

Why You Need Intruder Lockout

It’s a very predictable web security flaw — in fact, it’s something I find in the majority of my web security assessments: the lack of intruder lockout on login pages. I know, with all the SQL injection and cross-site scripting present on the web, the lack of intruder lockout on web login pages seems a […]

Read More →

Don’t Forget Your Marketing Website Security

I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the web server and unknowingly gave the whole world access to change any and all content at will. What interested me the most was the fact that out of the hundreds […]

Read More →