<img height="1" width="1" style="display:none;" alt="" src="https://analytics.twitter.com/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0"> <img height="1" width="1" style="display:none;" alt="" src="//t.co/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0">

Web Application Security Blog

The Struts Saga Continues: Groundhog Day All Over Again

POSTED BY  Zaid Al Hamami on Mar 23, 2017
Mar 23 2017

In a previous blog post I talked about the Struts CVE (CVE-2017-5638) that’s affecting much of the Java Web App world these days. A security engineer at IMMUNIO provided his technical perspective as well.

Continue Reading ›

TOPICS     Vulnerabilities  WAF vs. RASP  RASP  Web Application Security

Will it Pwn CVE-2017-5638: Remote Code Execution in Apache Struts 2?

POSTED BY  Ajin Abraham on Mar 13, 2017
Mar 13 2017

A few days back Nike Zheng reported a Remote Code Execution vulnerability in Apache Struts2. The vulnerability exploits a bug in Jakarta's Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type...

Continue Reading ›

TOPICS     Vulnerabilities  RASP  Web Application Security

CVE-2017-5638 - Groundhog Day

POSTED BY  Zaid Al Hamami on Mar 09, 2017
Mar 09 2017

Its one of those weeks. A new, big impact-low effort CVE (CVE-2017-5638). This time it is Java Struts apps. Specifically ones using the Jakarta Multi-Part parser. Again, it is one of those “malformed input in ways no one expected gives me powers...

Continue Reading ›

TOPICS     Vulnerabilities  Application Security  DevOps

Bot Fingerprinting

POSTED BY  Mike Milner on Dec 20, 2016
Dec 20 2016

A web bot is designed to make life on the web easier; a script that automates repetitive tasks and does them much faster than a human could. This speed is often how you can tell who or what is interacting with your site: bot or human. And when it...

Continue Reading ›

TOPICS     Vulnerabilities  Web Application Security

2016: AppSec Year in Review

POSTED BY  Richard April on Dec 15, 2016
Dec 15 2016

Accounts taken over and credentials seriously stuffed

Credential stuffing attacks were made possible by several hacks that hit the news in 2016. Hacks like these happen in two (or more) phases, often occurring years apart. The first phase is...

Continue Reading ›

TOPICS     Vulnerabilities  Application Security  Account Takeover  Stolen Credentials

The Relationship Between RASP, Mobile Apps, and Web Service Infrastructure

POSTED BY  Mike Milner on Dec 01, 2016
Dec 01 2016

Mobile applications do not run on their own—almost every useful app is backed by one or more web services running in the background to perform most actions and to link them to enterprise systems. Even though you don’t really see this part, your...

Continue Reading ›

TOPICS     Vulnerabilities  RASP  Web Application Security  Mobile App Security

RASP Adoption: A View From The Trenches (Part 1)

POSTED BY  Goran Begic on Nov 08, 2016
Nov 08 2016

Runtime application self-protection (RASP) is one of the newest security technologies. In the early stages of adoption in the industry, this method of protecting web apps promises dynamic defense and automatic mitigation of vulnerabilities.

Continue Reading ›

TOPICS     Vulnerabilities  RASP  Web Application Security

How to Engage Developers in App Security

POSTED BY  Oliver Lavery on Sep 27, 2016
Sep 27 2016

It’s become accepted wisdom that developers and security engineers exist on different planes, and that they’re anything but enthusiastic about collaborating. But with web application security threats proliferating and becoming increasingly...

Continue Reading ›

TOPICS     Vulnerabilities  Application development

Biggest Data Breach Yet: What Are the Implications of the Yahoo Hack?

POSTED BY  Maria Lee on Sep 23, 2016
Sep 23 2016

The biggest security story of this week by far was the massive data breach at Yahoo. The implications of this breach -- widely reported to be the largest of its kind in history -- will be wide-ranging and complex. As the Yahoo hack (and many...

Continue Reading ›

TOPICS     Vulnerabilities  Account Takeover  Stolen Credentials

Why You Should Automate Security in Agile Development

POSTED BY  Oliver Lavery on Sep 20, 2016
Sep 20 2016

Before agile development went mainstream, manual security and quality assurance methods were considered adequate for many organizations’ needs. But today’s agile and lean development cycles are simply too rapid for manual approaches to web...

Continue Reading ›

TOPICS     Vulnerabilities  RASP  Agile development