Featured post
/ Posted December 16, 2020
In this article we go boldly beyond the OWASP Top 10 to review a few critical, interesting or just plain bizarre vulnerabilities not included in OWASP Top 10 and see how they could impact you.
read moreFilter by:
Research / Posted December 16, 2020
In this article we go boldly beyond the OWASP Top 10 to review a few critical, interesting or just plain bizarre vulnerabilities not included in OWASP Top 10 and see how they could impact you.
Read moreResearch / Posted December 01, 2020
In this blog post we will explore Template Injection attacks against the JsReder/JsViews library.
Read moreResearch / Posted November 26, 2020
An XML (Extensible Markup Language) External Entity or XXE attack occurs when an attacker is able to exploit the application's processing of XML data by injecting malicious entities.
Read moreResearch / Posted November 10, 2020
Deserialisation vulnerabilities were introduced to the OWASP Top 10 in 2017, nudging out Cross-Site Request Forgery (CSRF), based on the increasing prevalence and impact of deserialisation attacks reported in an industry survey. But what are deserialisation vulnerabilities, how do they occur, why did the threat from them suddenly increase in recent years, and what can be done to protect your organisation from this vulnerability?
Read moreResearch / Posted October 20, 2020
So what exactly is SSRF? How does it work, why is it more prevalent in 2020, and how can we protect against it?
Read moreResearch / Posted October 01, 2020
In this article we are going to take a look at one of the newer technologies used in modern web applications, the “WebSockets” that were standardized by the Internet Engineering Task Force (IETF) in 2011.
Read moreResearch / Posted September 25, 2020
Insecure Direct Object Reference, is a common web application vulnerability that allows an attacker to bypass mis-configured logical access controls and access sensitive data.
In this article, we will step through looking at what IDOR is, how it can often be introduced as a vulnerability, how an attacker is able to exploit it, and how to defend against it.
Research / Posted September 01, 2020
Essentially a SPA is a client-side dynamic web application that makes a full HTML page load initially but thereafter responds to all DOM events initiated by actions such as clicking on links by dynamically rewriting the current web page, rather than the default method in a traditional “multi-page” web application of the browser loading entire new pages.
Read moreResearch / Posted August 12, 2020
In this article, we take a look at the security model that the Web Messaging API (a.k.a. “Cross-Document Messaging”) - is built on, why the security measures that it introduces are necessary, and some of the potential mis-configurations that can undermine the API’s security model.
Read moreNews Product Research / Posted June 09, 2020
AppCheck is pleased to announce enhanced support for scanning GraphQL based APIs. In this post we take a brief look at GraphQL and some of the security implications surrounding the technology.
Read more