Interactive Application Security Testing (IAST) is a term for tools that combine the advantages of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). It is a generic cybersecurity term coined by Gartner, so IAST tools may differ a lot in their approach…
What Are DNS Zone Transfers (AXFR)
DNS zone transfers using the AXFR protocol are the simplest mechanism to replicate DNS records across DNS servers. To avoid the need to edit information on multiple DNS servers, you can edit information on one server and use AXFR to copy information to other servers….
Red Team vs. Blue Team Exercises for Web Security
One of the best ways to verify the security posture of a business is to perform a mock attack. This principle is behind the concept of penetration testing (manual mock attack) and vulnerability scanning (automatic mock attack). While penetration tests and vulnerability scans are performed…
Domain Hijacking and Domain Spoofing
The domain name is one of the most valuable assets for a business that has a strong online presence. It is associated with a certain level of trust and a loss of a domain name can have serious consequences. However, the value of the domain…
What Is Path Traversal?
Path Traversal or as it is otherwise known, Directory Traversal, refers to an attack through which an attacker may trick a web application into reading and subsequently divulging the contents of files outside of the document root directory of the application or the web server….
What Is Same-Origin Policy
Same-Origin Policy (SOP) is a rule enforced by web browsers, which controls access to data between websites and web applications. Without SOP, any web page would be able to access the DOM of other pages. This would let it access potentially sensitive data from another…
Government-in-the-Middle and Its Consequences
In late July, the government of Kazakhstan attempted to perform a mass man-in-the-middle attack on Kazakh citizens. Users of all Kazakh mobile networks were asked to install a government-issued CA certificate to continue using selected sites such as Google services, Facebook, and Instagram. Under global…
How To Prevent DOM-based Cross-site Scripting
DOM-based Cross-site Scripting (DOM XSS) is a particular type of a Cross-site Scripting vulnerability. It uses the Document Object Model (DOM), which is a standard way to represent HTML objects in a hierarchical manner. As with all other Cross-site Scripting (XSS) vulnerabilities, this type of…
What Is a Reverse Shell Attack? – Examples, Techniques, Prevention
To gain control over a compromised system, an attacker usually aims to gain interactive shell access for arbitrary command execution. With such access, they can try to elevate their privileges to obtain full control of the operating system. However, most systems are behind firewalls and…