News / Posted September 03, 2019
Cross-Site Scripting (XSS) is by far the most widespread high impact vulnerability, present even in the best of web applications, regardless of the framework or programming language employed - a burly steadfast member of the OWASP Top Ten.
Here at AppCheck the client-side nature of typical XSS has led to a general underappreciation of its exploitation potential, though a good understanding of the vulnerability and its subtle variations will show how it can be used to devastating effect... and more importantly: how it can be avoided.
In this seminar we will build up piece-by-piece an understanding of XSS that spares no detail.
Research Security Alerts / Posted May 27, 2015
The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.
With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.Read more
News Product Research / Posted May 14, 2015
In this video series we discuss the common security flaws encountered in HTML5 enabled websites. Our focus is around Cross-Origin communication through postMessage and CORS.Read more
News Product Research / Posted March 04, 2015
Research Security Alerts / Posted March 03, 2015
On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.Read more
Research Security Alerts / Posted November 28, 2014
On the 18th August, 2014, AppCheck reported a Directory Traversal Vulnerability in the SafeNet SAS Outlook Web Access Agent that, without requiring any user authentication, allows a remote attacker to gain access to any file located on the remote server’s local hard drives.Read more
Research Security Alerts / Posted October 21, 2014
On April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program. eBay responded to inform us that the vulnerabilities had already been reported.
However, since more than 6 months have passed and no fix is yet available, This advisory is intended to inform Magento administrators of the vulnerability so that action can be taken to mitigate the flaw.Read more