For companies, threats come from two sources—outside the organization and inside (reads: disgruntled, unethical employees). Insider threats can be very difficult to handle and the number of annual incidents is on the rise. The insider threat can come in several forms: Employees who steal intellectual…
BREACH attacks: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
BREACH attacks, abbreviated from Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, are attacks similar to the CRIME attack. Both attacks are compression side channel attacks, however CRIME targets information compressed in HTTP requests through TLS compression, whilst BREACH targets information compressed in HTTP…
The importance of Internal Web Security Assessments
What do things look like on the outside? That’s the main focus we have as human beings. But beauty is only skin deep. As with relationships and leaked NSA documents, we quickly discover that what’s on the inside is just as, if not more, important….
Server Side Request Forgery (SSRF)
A Server Side Request Forgery (SSRF) attack gives an attacker the ability to use your web application to send requests to other applications running on the same machine, or to other servers which can be on the same or on a remote network. Since the…
Automatic detection of XXE vulnerabilities in OpenID implementations using Acunetix AcuMonitor
Reginaldo Silva recently uncovered a very interesting bug affecting Facebook (and received $33,500 for this discovery). The bug is caused by improper handling of XML documents in OpenID implementations causing XML External Entity Expansion vulnerabilities. He mentioned in his article that many OpenID implementations/libraries are…
New Security Checks Added to Acunetix Web Vulnerability Scanner
The latest build of Acunetix Web Vulnerability Scanner includes a lot of changes and new security tests. Here is a short summary of the most interesting tests we’ve just added. 1. Vulnerable JavaScript libraries Acunetix Web Vulnerability Scanner can now identify vulnerable versions of various JavaScript…
Latest Improvements in the Detection of DOM XSS Vulnerabilities
The latest build of Acunetix Web Vulnerability Scanner (Build 20131023) released yesterday, contains important improvements in the detection of DOM XSS vulnerabilities. Our DeepScan technology was also further strengthened in this build. Take the following piece of code for example: This code is vulnerable to…
XSS Vulnerability injected through Google Analytics, executed in IOS’s Gmail application
Roy Castillo, a security researcher from the Philippines, identified a cross-site scripting (XSS) vulnerability in the Gmail application for iOS. The vulnerability was found in the mail attachment feature and needed no user interaction to be triggered. In a post on his blog, Roy Castillo…
IT Security Includes Cyber Attack Response
Preventing cyber attacks is a dominant topic for IT security. It is the first layer of defense. The more attacks prevented the better – no question about it. However, does great prevention guarantee there will no successful cyber attacks? Of course not. Good Security is…