Acunetix Web Application Vulnerability Report 2019

Acunetix compiles an annual web application vulnerability report. The purpose of this report is to provide security experts and interested parties with an analysis of data on vulnerabilities gathered over the previous year. The 2019 report contains the results and analysis of vulnerabilities, detected from the automated web and network perimeter scans run on the […]

Read More →

A Fresh Look On Reverse Proxy Related Attacks

In recent years, several researches have been published about attacks deliberately or directly related to reverse proxies. While implementing various reverse-proxy checks on the scanner, I started analyzing implementations of reverse proxies. Initially, I wanted to analyze how both reverse proxies and web servers parse requests, find out inconsistencies in the process between them and […]

Read More →

How to Stop Old, Backup and Unreferenced Files from Leaking Sensitive Information

The very real threat of information disclosure by means of inadvertent exposure of sensitive files has been a constant source of woe for corporations and individuals alike. Despite having the potential for serious repercussions including legal ones, many webmasters, administrators and developers have struggled to contain this common issue for years. This article explores various […]

Read More →

How to Verify a Cross-site Scripting Vulnerability

Analyzing web application vulnerabilities discovered by an automated scanner such as Acunetix often requires us to investigate further. This is in order to: Verify the vulnerability exists in the context of the application. Adjust the vulnerability payload reported by the scanner to something more invasive (i.e. keylogger) in order to make the severity of the […]

Read More →

Why Scoping Cookies to Parent Domains is a Bad Idea

When dealing with Web Application vulnerability assessments, it is very common to come across scenarios where for various reasons (business or otherwise) users decide to focus entirely on Medium or High severity vulnerabilities such as SQL Injection and XML External Entity Injection. As a result, developers and security professionals tend to ignore what are normally […]

Read More →

What is Web Cache Poisoning?

How does Caching work? All forms of Caching in computer science, whether it be CPU cache, HTTP Web Server cache, Database cache and so on, aims to speed up response times for whatever is requested. Doing so helps reduce load as much as possible on the component that is being actively cached. Because of this […]

Read More →

Paul’s Security weekly Episode: Insecure Deserialization in Java/ JVM

Aleksei Tiurin, Senior Security Researcher at Acunetix, joins Paul’s Security Weekly to talk us through “Insecure Deserialization in JAVA/JVM”! After initial extensive research in 2015, Insecure Deserialization has been a very hot topic in the Java-world. More and more deserialization vulnerabilities are found again and again in various software with new techniques of exploitation showing […]

Read More →

How To Clean A Hacked Installation of Nginx

There are literally hundreds of ways to secure & solidify¬†a Nginx server after an attack. But, what does it REALLY need to be cleaned and secure? What are the essential changes you have to make to feel secure again? To answer that question, we’ll have to investigate what the most widely recognized security issues that […]

Read More →

How to Prevent DOM-based Cross-site Scripting

DOM-based Cross-site Scripting (from now on called DOM XSS) is a very particular variant of the Cross-site Scripting family and in web application development is generally considered the amalgamation of the following: The Document Object Model (DOM) – Acting as a standard way to represent HTML objects (i.e. <div></div>) in a hierarchical manner. Cross-site Scripting […]

Read More →