AppCheck Security Blog

Server-Side Request Forgery (SSRF) & the Cloud Resurgence

So what exactly is SSRF? How does it work, why is it more prevalent in 2020, and how can we protect against it?

read more

Server-Side Request Forgery (SSRF) & the Cloud Resurgence

So what exactly is SSRF? How does it work, why is it more prevalent in 2020, and how can we protect against it?

Read more

WebSocket Security - Cross-Site Hijacking (CSWSH)

In this article we are going to take a look at one of the newer technologies used in modern web applications, the “WebSockets” that were standardized by the Internet Engineering Task Force (IETF) in 2011.

Read more

Insecure Direct Object Reference

Insecure Direct Object Reference, is a common web application vulnerability that allows an attacker to bypass mis-configured logical access controls and access sensitive data.
In this article, we will step through looking at what IDOR is, how it can often be introduced as a vulnerability, how an attacker is able to exploit it, and how to defend against it.

Read more

Single Page Applications (SPA)

Essentially a SPA is a client-side dynamic web application that makes a full HTML page load initially but thereafter responds to all DOM events initiated by actions such as clicking on links by dynamically rewriting the current web page, rather than the default method in a traditional “multi-page” web application of the browser loading entire new pages.

Read more

HTML5 Cross-Document Messaging Vulnerabilities

In this article, we take a look at the security model that the Web Messaging API (a.k.a. “Cross-Document Messaging”) - is built on, why the security measures that it introduces are necessary, and some of the potential mis-configurations that can undermine the API’s security model.

Read more

Scanning GraphQL for Vulnerabilities with AppCheck

AppCheck is pleased to announce enhanced support for scanning GraphQL based APIs. In this post we take a brief look at GraphQL and some of the security implications surrounding the technology.

Read more

The Importance of Regular Vulnerability Scanning

In an earlier article we have covered the importance of vulnerability scanning and why it remains a powerful tool in your security arsenal – in this article we will examine specifically why it is important to leverage one of the most powerful advantages that dynamic application security testing (DAST) or vulnerability scanning has over manual penetration testing: its ability to be scheduled for frequent or continuous assessment.

Read more

Common e-commerce vulnerabilities and how to remedy

Modern e-commerce encompasses a broader network of activities and services relating to electronically buying or selling of products on online services or over the Internet. We explore common vulnerabilities that can occur within e-commerce sites and most importantly, how to remedy these.

Read more

Got Swagger? How mapping your API helps to protect it.

API security is often barely mentioned. Web application developers are, broadly, aware of vulnerabilities such as the OWASP Top 10, but these barely or tangentially mention API security as of the latest (2017) update.

This may not have been an issue historically, however APIs are no longer a niche or secondary form of traffic. API calls now represent 83 percent of web traffic, according to traffic review detailed in a recent report.

Read more

SaltStack scanning tool to detect CVE-2020-11651 & CVE-2020-11652

These CVE's are now being actively exploited in the wild and so we have created a free standalone scanner to detect and report on these.

Read more