AppCheck Security Blog
Featured post
Information Disclosure Vulnerabilities: Mimes, Gits & Leaky Proxies
/ Posted March 04, 2021
Information disclosure occurs when out-of-scope data – such as information relating to the service operation, or its operators – is returned to clients in-band through the defined data response channel (e.g HTTP responses). Typically exploiting these vulnerabilities doesn’t require an attacker to do anything other than make passive requests (those not containing a malicious payloads) or to attempt to bypass access controls – often there is therefore no “attack signature” that can be detected in logs or blocked by Web Application Firewalls, and companies may find it impossible to prosecute an attacker or prove that they performed an action that was in any way criminal.
read moreFilter by:
Information Disclosure Vulnerabilities: Mimes, Gits & Leaky Proxies
Research / Posted March 04, 2021
Information disclosure occurs when out-of-scope data – such as information relating to the service operation, or its operators – is returned to clients in-band through the defined data response channel (e.g HTTP responses). Typically exploiting these vulnerabilities doesn’t require an attacker to do anything other than make passive requests (those not containing a malicious payloads) or to attempt to bypass access controls – often there is therefore no “attack signature” that can be detected in logs or blocked by Web Application Firewalls, and companies may find it impossible to prosecute an attacker or prove that they performed an action that was in any way criminal.
Read moreAdvisory: CVE-2020-29047 - Unauthenticated RCE via Arbitrary Object Deserialisation in WordPress Hotel Booking Plugin
Research Security Alerts / Posted March 03, 2021
CVE: CVE-2020-29047
Severity: HIGH
Vulnerability Type: CWE-502: Deserialization of Untrusted Data
Requires Authentication: No
URL Parsing and Path Traversal
Research / Posted February 04, 2021
This article focusses on URL parsing and the security issues surrounding it, taking a look at path traversal and how this can be employed by an attacker to cause the system to read or write files outside of the intended path scope.
Read moreWebinar: URLs, Uploads & Dragons
Events / Posted February 03, 2021
In this webinar we explore through example how assumptions and subtle mishandling of URLs and files can lead to various high severity OWASP Top 10 vulnerabilities.
Read moreWebinar: The Great Database Heist: Where’d all my Data Just go!?
Events / Posted January 12, 2021
We will explore how such common OWASP Top 10 vulnerabilities arise, looking at SQL and NoSQL injection attacks and exploits, and importantly at how to avoid them, sparing no detail whilst being accessible also at a non-technical level.
Read moreBeyond the OWASP Top 10 – “Chicken Bits”, Pollution & Greedy Matches
Research / Posted December 16, 2020
In this article we go boldly beyond the OWASP Top 10 to review a few critical, interesting or just plain bizarre vulnerabilities not included in OWASP Top 10 and see how they could impact you.
Read moreWhat to expect from your free vulnerability scan
Product / Posted December 04, 2020
In this article, we’re going to look at what a vulnerability scan is, how it can help to protect your organisation, and how AppCheck will work with you to deliver a free trial scan of your own websites, networks and infrastructure to demonstrate these benefits.
Read moreWebinar: XSS-Mas! …and a Hijacked New Year!
Events / Posted December 04, 2020
Cross-Site Scripting (XSS) is by far the most widespread high impact vulnerability, present even in the best of web applications, regardless of the framework or programming language employed - a burly steadfast member of the OWASP Top Ten.
Read moreTemplate Injection: JsRender/JsViews
Research / Posted December 01, 2020
In this blog post we will explore Template Injection attacks against the JsReder/JsViews library.
Read moreExternal Entity Injection (XXE)
Research / Posted November 26, 2020
An XML (Extensible Markup Language) External Entity or XXE attack occurs when an attacker is able to exploit the application's processing of XML data by injecting malicious entities.
Read more