One of the worst feelings I’ve ever experienced was when I received an email from one of my customers telling me that my website had been hacked. It got worse, as I couldn’t see any changes in my content, the design or the source code! The problem was that my users were seeing my website […]
A lot of developers are using version control systems such as SVN (Apache Subversion) and GIT in order to track changes in their source code. These types of server tools are essential for the organizations which have multi-developer projects. Most of these version control systems create internal hidden directories, which typically contain extensive information about […]
Note: This article refers to an older version of Acunetix. Click here to download the latest version. When you visit a website your browser sends an HTTP header called “User-Agent” to the web server. This header indicates which web browser you are using, its version number and details about your operating system and version.
Note: This article refers to an older version of Acunetix. Click here to download the latest version. Nowadays, more and more people are using URL rewrite techniques to increase their “friendliness” to both users and search engines. With URL rewrites, a URL like http://www.site.com/cms/product.php?action=buy&id=1 is typically rewritten to something like: http://www.site.com/buy/1. Prior to Acunetix Web […]
As I’ve written about scoping your Web security tests in the past, it’s not something to be taken lightly. Interestingly, there’s one aspect of Web security testing where I’m still seeing a big disconnect. The issue is how many critical Web systems are being dismissed (“That one’s going away soon.” and overlooked (“Oh, yeah, I […]
When we talk about Web security, we typically think about the common OWASP-type elements: SQL injection, cross-site scripting, passwords, encryption and the like. That’s fine but those areas can’t be our only focus. There’s so much more to managing information risks that’s often overlooked. Ask any information security manager or compliance officer and they’ll likely […]
Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had not manually validated every single finding in that regard. I […]
I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is an area of security that doesn’t get near the attention it deserves – especially when it comes to the Web security component.
I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party […]