AppCheck Security Blog
Featured post
AppCheck supporting World Refugee Day
/ Posted July 02, 2021
In the run up to World Refugee Day on 20th June 2021, AppCheck held a fundraiser to support local humanitarian Rob Lawrie's work with child refugees in camps across Europe.
read moreFilter by:
AppCheck supporting World Refugee Day
News / Posted July 02, 2021
In the run up to World Refugee Day on 20th June 2021, AppCheck held a fundraiser to support local humanitarian Rob Lawrie's work with child refugees in camps across Europe.
Read moreAppCheck Wins Global Business Tech Awards 2021
News / Posted June 18, 2021
This year AppCheck took the win for 'Cyber Security Company of the Year' at the Global Business Tech Awards 2021.
Read moreWeb App Security: Why So Hard?
Events / Posted June 09, 2021
Action... Mystery... Intrigue...
What does AppCheck's webinar latest have in store? Click for more...
Webinar: How Does Automated Vulnerability Scanning Work?
Events / Posted May 07, 2021
The webinar begins with AppCheck’s Head of Research & Development as he takes an in-depth look at web application security and the difficulties in ensuring they are secure. From here an AppCheck consultant provides an overview of the AppCheck Vulnerability Scanning Tool and what exactly our free trial scan entails.
Read moreAttacking the Supply Chain: Dependency Confusion
Research / Posted April 08, 2021
Modern web applications are typically built using a combination of in-house custom code and third-party libraries. The in-house code leverages functionality from typically open-source libraries that provide convenient access in the chosen development language to common functions (such as email sending or data structure access). These libraries will typically be deployed to the webserver serving the web application along with the in-house code... [read more]
Read more“RCE” Primer: Remote Code Execution
Research / Posted March 23, 2021
Remote code execution (RCE) is the term used to describe the execution of arbitrary code on a system where the attacker does not have direct access to the console. Any vulnerability that allows an attacker to execute code or commands on remote system where this was not intended can be said to result in RCE.
Read moreAdvisory: CVE-2020-29045 - Unauthenticated RCE via Arbitrary Object Deserialisation in Five Star Restaurant Menu - WordPress Ordering Plugin
Research Security Alerts / Posted March 10, 2021
It is possible to gain Unauthenticated Remote Code Execution (RCE) on any WordPress instance that is using this plugin, due to the unsafe use of unserialize for the parsing of unsanitised user input, via the cookie fdm_cart used within includes/class-cart-manager.php
Read moreInformation Disclosure Vulnerabilities: Mimes, Gits & Leaky Proxies
Research / Posted March 04, 2021
Information disclosure occurs when out-of-scope data – such as information relating to the service operation, or its operators – is returned to clients in-band through the defined data response channel (e.g HTTP responses). Typically exploiting these vulnerabilities doesn’t require an attacker to do anything other than make passive requests (those not containing a malicious payloads) or to attempt to bypass access controls – often there is therefore no “attack signature” that can be detected in logs or blocked by Web Application Firewalls, and companies may find it impossible to prosecute an attacker or prove that they performed an action that was in any way criminal.
Read moreAdvisory: CVE-2020-29047 - Unauthenticated RCE via Arbitrary Object Deserialisation in WordPress Hotel Booking Plugin
Research Security Alerts / Posted March 03, 2021
CVE: CVE-2020-29047
Severity: HIGH
Vulnerability Type: CWE-502: Deserialization of Untrusted Data
Requires Authentication: No
URL Parsing and Path Traversal
Research / Posted February 04, 2021
This article focusses on URL parsing and the security issues surrounding it, taking a look at path traversal and how this can be employed by an attacker to cause the system to read or write files outside of the intended path scope.
Read more