AppCheck Security Blog

A successful exploit of a DNS rebinding attack turns a victim’s browser into a proxy for attacking screened devices on the user’s private network, which are not exposed to the public internet. Rather than being a “standalone” vulnerability, it is typically used to enable further, onward attacks against devices that an individual or organisation may believe are inaccessible to attackers. DNS rebinding attacks aren’t as well known of or understood by organisations in the same way as household-name exploits such as “XSS”, and so many organisations may not have explicit protection measures in place.

In this article we’re going to take a look at so-called “Session Puzzling Attacks.” So in this article we’re going to step through a full explanation of typical session handling mechanisms, how the vulnerability can arise within them, and how to prevent vulnerabilities of this class.

“BYOD” and the “Internet of Things” are two growing areas of security concern for organisations, linked conceptually by the commoditisation of information processing hardware.

CSRF stands for “Cross Site Request Forgery” and is a term that is used to describe a situation in which an attacker tricks a computer user into submitting a web request that they are unaware of performing, that is performed under their identity, and which is typically against their interests. An example might be an instruction to their online bank to transfer money out of their account and into the attacker’s account. Since the action is performed from the victim’s computer, it is indistinguishable from a legitimate and intentional request made by the victim. This obviously sounds fairly alarming! Let’s dig deeper into the mechanisms that make this possible.

The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).

In this episode, Nick Blundell – Head of R&D at AppCheck speaks with Holly Grace Williams from Secarma about the pros and cons of vulnerability scanning, how hackers can enter weak systems and the need for a blended approach.

The OWASP Penetration Testing Checklist is aimed at delivering a baseline standard against which potential vendor solutions can be assessed to ensure that a prospective web application security testing provider delivers a service that is sufficient

On the 15th of July 2021 Umbraco and AppCheck released a Security Advisory to alert users of a vulnerability within the Umbraco Forms component that could be exploited to gain remote code execution on the affected system.

The OWASP Top 10 Privacy Risks list is an attempt to curate a completely neutral set of prioritised privacy risks for businesses to consider, as well as a recommended set of countermeasures for businesses to deploy against the occurrence of those risks.