Currently, nginx is the most popular web server, recently beating Apache. It is lightweight, fast, robust, and supports all major operating systems. It is the web server of choice for Netflix, WordPress.com, and other high traffic sites. An nginx server can easily handle 10,000 inactive…
Exploiting SSTI in Thymeleaf
One of the most comfortable ways to build web pages is by using server-side templates. Such templates let you create HTML pages that include special elements that you can fill and modify dynamically. They are easy to understand for designers and easy to maintain for…
Paul’s Security Weekly: New Web Technology & Impact on Automated Security Testing
Our core security researcher, Benjamin Daniel Mussler, has been invited to Paul’s Security Weekly podcast to participate in a discussion about new web technologies and their impact on automated security testing. Benjamin primarily talked about the fact that web browsers have gone a long way…
Easy Access to the 2020 Web Application Vulnerability Report
If you don’t have time to read the whole 2020 Acunetix Web Application Vulnerability Report, we have prepared two comfortable options for you. We want to make sure that you know the current state of web security so that you know what efforts to focus…
What Is the POODLE Attack?
The POODLE attack (Padding Oracle on Downgraded Legacy Encryption) exploits a vulnerability in the SSL 3.0 protocol (CVE-2014-3566). This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3. The vulnerability is no longer present in the Transport Layer Security protocol (TLS), which is the…
Why Is Directory Listing Dangerous?
Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It is dangerous to leave this function turned on for the web server because it leads to information disclosure. For example, when…
What Is the BEAST Attack
BEAST stands for Browser Exploit Against SSL/TLS. It is an attack against network vulnerabilities in TLS 1.0 and older SSL protocols. The attack was first performed in 2011 by security researchers Thai Duong and Juliano Rizzo but the theoretical vulnerability was discovered in 2002 by…
What Are Google Hacks?
The terms Google hacking, Google hacks, or Google dorking refer to attacks that use Google or another search engine to find vulnerable web servers and websites. Google hacking is based on inventing specific search queries, often using wildcards and advanced search operators (such as intitle,…
Even the Mightiest Fall: An SQL Injection in Sophos XG Firewall
Do you really think you are safe from web vulnerabilities or that they are just minor problems? A few days ago Sophos, one of the world’s most renowned security companies, found an SQL Injection in their product. What is worse, they found the vulnerability because…