AppCheck Security Blog

Session Puzzling Attacks (a.k.a. “Session Variable Overloading”)

In this article we’re going to take a look at so-called “Session Puzzling Attacks.” So in this article we’re going to step through a full explanation of typical session handling mechanisms, how the vulnerability can arise within them, and how to prevent vulnerabilities of this class.

read more

Session Puzzling Attacks (a.k.a. “Session Variable Overloading”)

In this article we’re going to take a look at so-called “Session Puzzling Attacks.” So in this article we’re going to step through a full explanation of typical session handling mechanisms, how the vulnerability can arise within them, and how to prevent vulnerabilities of this class.

Read more

Reflecting on AppCheck - Dylan Marriott

We have taken on lots of new starters at AppCheck across all departments as we continue to enjoy a period of expansion. We sit down with Dylan Marriott, our Application Support Engineer, and ask him how his first few months with AppCheck have gone.

Read more

AppCheck joins Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

We are delighted to announce that we have become the latest vendor to be authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Read more

Halloween Cyber Security Quiz

This year, we have prepared some cyber security quizzes to protect you from the evil that lurks.
One quiz is filled with nasty questions which will rack your brain, the other filled with treats to delight you. The question is... which is which?

Read more

BYOD & The Internet of Things

“BYOD” and the “Internet of Things” are two growing areas of security concern for organisations, linked conceptually by the commoditisation of information processing hardware.

Read more

Security Advisory: Duplicate Post WordPress Plugin SQL Injection Vulnerability (CVE-2021-43408)

The AppCheck Research team identified a security flaw within the “Duplicate Post” WordPress plugin. The plugin has been downloaded 155,421 times at the time of writing. This blog post details the finding along with remediation advice.

Read more

The current state of CSRF and should I still worry about it?

CSRF stands for “Cross Site Request Forgery” and is a term that is used to describe a situation in which an attacker tricks a computer user into submitting a web request that they are unaware of performing, that is performed under their identity, and which is typically against their interests. An example might be an instruction to their online bank to transfer money out of their account and into the attacker’s account. Since the action is performed from the victim’s computer, it is indistinguishable from a legitimate and intentional request made by the victim. This obviously sounds fairly alarming! Let’s dig deeper into the mechanisms that make this possible.

Read more

Webinar: Authentication: Bypassed!

A brand new webinar in which we hope to build up an understanding of authentication vulnerabilities, working from the most basic to more intricate scenarios, sparing no detail whilst remaining accessible to non-technical audiences. Straight from the stage of the Digital Transformation Expo, this will be the debut of this webinar content.

Read more

WordPress + Microsoft Office 365 / Azure AD | LOGIN Persistent Cross-Site Scripting (CVE-2021-43409)

The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).

Read more

AppCheck Web Application Seminar November 2021 - LONDON

The Web Application Security seminar is a free event that presents a detailed analysis of the most common threats facing web applications today. We will review high profile examples and provide a technical breakdown of critical security flaws along with an introduction into emerging technologies.

Read more