White papers on Web Security

Web Application Security – Enterprises Are Losing the War

Acunetix, September 2020 – Acunetix teamed up with Dimensional Research to conduct a survey and learn how effectively enterprises are handling web application security. Unfortunately, the results were not very optimistic. This report contains the results of the survey analysis with explanations and commentaries.


Acunetix Web Application Vulnerability Report 2020

Acunetix, May 2020 – Every year, Acunetix crunches data compiled from Acunetix Online into a vulnerability testing report that portrays the state of the security of web applications and network perimeters. This year’s report contains the results and analysis of vulnerabilities detected over the previous 12 months, across 5,000 scan targets.


The Future Is the Web! How to Keep It Secure?

Acunetix, October 2019 – The web is everywhere and it’s not an exaggeration. To secure your systems, you muwhst secure web interfaces. However, enterprise security faces a much bigger problem than potential new attack vectors. Businesses grow quickly but the number of security experts available for hire does not keep up. This Acunetix white paper shows you the methods that you can use to improve the security of all your web interfaces and reduce the workload for your security personnel, thus mitigating the skill gap.


PHP Security Mini Guide

Agathoklis Promodou, May 2019 – In this mini guide, author Agathoklis Promodou looks the world’s most popular (Server-side) Web Programming Language – PHP. Like other programming languages, PHP can be exposed to a number of vulnerabilities – this mini guide examines some of the problems that should be considered every time you set out to write a PHP script so you can ensure your site is secure. These are the problems which, with well-written code, can be effectively mitigated.


TLS Security: TLS/SSL Explained

Acunetix, April 2019 – In this white paper, we focus on two widely known and used protocols in computer security, SSL and TLS. We describe what is TLS/SSL, take a brief look at its history, describe some of the terminology, explain TLS/SSL certificates and their use, we look at establishing an SSL connection and look at possible TLS/SSL vulnerabilities and attacks.


All That You Need to Know About Man-in-the-Middle Attacks

Tomasz Andrzej Nidecki, March 2019 – Black hat hackers usually use man-in-the-middle attacks to eavesdrop on communications between a client and a server, including HTTPS connections to websites, other SSL/TLS connections, Wi-Fi connections, and more. This white paper details all common techniques that are used to conduct man-in-the-middle attacks, explains how these techniques work, and how to defend against them.


Acunetix Web Application Vulnerability Report 2019

Acunetix, February 2019 – Every year, Acunetix crunches data compiled from Acunetix Online into a vulnerability testing report that portrays the state of the security of web applications and network perimeters. This year’s report contains the results and analysis of vulnerabilities detected over the previous 12 months, across 10,000 scan targets.


A Fresh Look On Reverse Proxy Related Attacks

Aleksei Tiurin, January 2019 – This white paper on Reverse Proxy Attacks aims to portray the bigger picture of potential attacks on a reverse proxy or the backend servers behind it. In the main part of the article, Aleksei Tiurin shows some examples of vulnerable configurations and exploitation of attacks on various reverse proxies, but the second goal of the research is to share the raw data about various implementations of reverse proxies.


Deserialization Vulnerabilities: Attacking Deserialization in JS

Aleksei Tiurin, June 2018 – At ZeroNights 2017 conference, Security Researcher Aleksei Tiurin spoke about “Deserialization vulnerabilities in various languages”. For his presentation, he used an interesting article about two serialization packages of Node.js. Aleksei showed them as examples of vulnerable implementations of the deserialization processes. In this article, he shows the results of his own research and a new approach of attacking deserialization in JS.


GDPR: Data Controllers Be Prepared

Matt Conran, March 2018 – With the arrival of new General Data Protection Regulation (GDPR) legislation, security professionals must become data-centric. As a result, they no longer rely on traditional practices to monitor and protect data along with the web applications that act as a front door to the user’s personal data. As on May 25, 2018, the European Union’s (EU’s) GDPR will come into play. A single supervisory authority will be used, rather than a separate one for each EU member state. It will provide a well-needed framework that will govern the way the personal data is gathered, stored and used.


Breaking the Great Wall of Web

Rafay Baloch, January 2018 – In this white paper, author Rafay Baloch looks at various forms of Domain Fronting along with a few other techniques that can be utilized for circumventing firewalls, Deep Packet Inspection devices and captive portals. He dissects a well-known internet censorship bypass known as PSIPHON and demonstrates how it utilizes Domain Fronting for bypassing Captive Portals.


Securing MySQL Server on Ubuntu 16.04 LTS

Acunetix, July 2016 – In this white paper, we will focus on how to create a more secure environment for MySQL server, which is currently the second most popular database management system (DBMS), in order to prevent common attacks, as well as to mitigate the attack vector of other vulnerabilities. For the purposes of this article we have setup a machine running Ubuntu 16.04 LTS (Xenial Xerus) and MySQL 5.7. We have also edited our hosts file to point ‘example.com’ to the IP address of our test machine.


An Introduction to Web-shells

Acunetix, July 2016 – A web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. In this white paper, we look at common functions used to execute shell commands in PHP, possible tricks attackers can use to keep web shells under-the-radar, and tips on detection and prevention.


Top tips to secure your Drupal Application

Acunetix, February 2016 – Drupal is a very popular Content Management System (CMS) on the Internet today. Drupal sites, especially ones running older versions of the CMS or it’s modules are a ripe target for attackers. In this white paper, we detail a few measures which can be taken to address the basic security holes or malpractices that are commonly present in thousands of Drupal sites.


Top tips to secure your Joomla! Application

Acunetix, February 2016 – Joomla! sites, especially ones running older versions of the CMS or it’s modules are a ripe target for attackers. In this white paper, we detail a few measures which can be taken to address the basic security holes or malpractices that are commonly present in thousands of Joomla! web applications.


Defence in depth and how it applies to web applications

Acunetix, January 2016 – Defence in depth is a principle of adding security in layers in order to increase the security posture of a system as a whole. In other words, if an attack causes one security mechanism to fail, the other measures in place take arms to further deter and even prevent an attack.


Top tips to prevent a WordPress hack

Acunetix, February 2015 – WordPress sites are notoriously lacking when it comes to security. Be it due to an insufficient security expertise of the developer, or the use of one of the many plugins available (of which the security cannot be guaranteed). This white paper gives top tips on how to keep the WordPress application secure.


HIPAA – Why you need to keep patient information secure

Acunetix, December 2014 – If you’re a healthcare entity in the United States, then you’ll certainly be familiar with HIPAA. This white paper deals with the most important aspects for healthcare providers, insurers and other health related entities – keeping patient information secure and to know when, how much and with who the information can be shared.


PCI Compliance – Securing Both Merchant and Customer Data

Acunetix, November 2014 – This white paper details the Payment Card Industry (PCI) compliance standard and the security threats which brought about the need to standardize the protection of customer credit card data.


A Complete Guide to Securing your Website

Acunetix, January 2010 – In this white paper we explain in detail how to do a complete website security audit and focus on using the right approach and tools.  We describe the whole process of securing a website in an easy to read step by step format; what needs to be done prior to launching an automated website vulnerability scan up till the manual penetration testing phase.


Why File Upload Forms are a Major Security Threat

Acunetix, May 2009 – This white paper shows how and why the widely used file upload forms are a major security threat.  It also states some recommendations on how to securely code such file upload forms, and how these can be checked with Acunetix web vulnerability scanner for vulnerabilities.


Finding the Right Web Application Scanner; Why Black Box Scanning is not Enough

Acunetix, September 2008 – This white paper shows how Acunetix AcuSensor Technology increases accuracy by combining black box scanning techniques with feedback from sensors placed inside the source code while the source code is executed.


Web Services – The Technology and its Security Concerns

Acunetix, October 2007 – This white paper examines the technology behind Web Services, how the system is made available to the user, and the way connections are made to back-end (and therefore sensitive) data. These different elements come together to make Web Services a portal for users to access data, but also provide different entry points which may be exploited for illegitimate purposes.


The Payment Card Industry Compliance – Securing Both Merchants and Customer Data

Acunetix, May 2007 – This white paper explains the Payment Card Industry Compliance standard in real detail, and the security threats which brought about the need to standardize the data protection of both merchants and customers.