AppCheck Security Blog

Umbraco ApplicationURL Overwrite & Persistent Password Reset Poison (CVE-2022-22690 & CVE-2022-22691)

read more

Umbraco ApplicationURL Overwrite & Persistent Password Reset Poison (CVE-2022-22690 & CVE-2022-22691)

Read more

DNS Rebinding Attacks

A successful exploit of a DNS rebinding attack turns a victim’s browser into a proxy for attacking screened devices on the user’s private network, which are not exposed to the public internet. Rather than being a “standalone” vulnerability, it is typically used to enable further, onward attacks against devices that an individual or organisation may believe are inaccessible to attackers. DNS rebinding attacks aren’t as well known of or understood by organisations in the same way as household-name exploits such as “XSS”, and so many organisations may not have explicit protection measures in place.

Read more

Session Puzzling Attacks (a.k.a. “Session Variable Overloading”)

In this article we’re going to take a look at so-called “Session Puzzling Attacks.” So in this article we’re going to step through a full explanation of typical session handling mechanisms, how the vulnerability can arise within them, and how to prevent vulnerabilities of this class.

Read more

BYOD & The Internet of Things

“BYOD” and the “Internet of Things” are two growing areas of security concern for organisations, linked conceptually by the commoditisation of information processing hardware.

Read more

The current state of CSRF and should I still worry about it?

CSRF stands for “Cross Site Request Forgery” and is a term that is used to describe a situation in which an attacker tricks a computer user into submitting a web request that they are unaware of performing, that is performed under their identity, and which is typically against their interests. An example might be an instruction to their online bank to transfer money out of their account and into the attacker’s account. Since the action is performed from the victim’s computer, it is indistinguishable from a legitimate and intentional request made by the victim. This obviously sounds fairly alarming! Let’s dig deeper into the mechanisms that make this possible.

Read more

WordPress + Microsoft Office 365 / Azure AD | LOGIN Persistent Cross-Site Scripting (CVE-2021-43409)

The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).

Read more

Secarma Automated Testing Podcast - Nick Blundell

In this episode, Nick Blundell – Head of R&D at AppCheck speaks with Holly Grace Williams from Secarma about the pros and cons of vulnerability scanning, how hackers can enter weak systems and the need for a blended approach.

Read more

AppCheck & the OWASP Penetration Testing Checklist

The OWASP Penetration Testing Checklist is aimed at delivering a baseline standard against which potential vendor solutions can be assessed to ensure that a prospective web application security testing provider delivers a service that is sufficient

Read more

Umbraco Forms File Upload Vulnerability: Technical Analysis (CVE-2021-37334)

On the 15th of July 2021 Umbraco and AppCheck released a Security Advisory to alert users of a vulnerability within the Umbraco Forms component that could be exploited to gain remote code execution on the affected system.

Read more

AppCheck & The OWASP Top 10 Privacy Risks

The OWASP Top 10 Privacy Risks list is an attempt to curate a completely neutral set of prioritised privacy risks for businesses to consider, as well as a recommended set of countermeasures for businesses to deploy against the occurrence of those risks.

Read more