Critical alert – Log4Shell (CVE-2021-44228 in Log4j) – possibly the biggest impact vulnerability ever

On December 10, 2021, a serious vulnerability was discovered in the Apache Log4j framework, which is commonly used by most Java installations. The vulnerability, dubbed Log4Shell or LogJam, was identified in the NVD as CVE-2021-44228 and, to quote one of Acunetix original creators and primary security experts, Bogdan Calin, “it’s the biggest vulnerability we have ever seen, which … Continue reading Critical alert – Log4Shell (CVE-2021-44228 in Log4j) – possibly the biggest impact vulnerability ever

What is HTTP header injection

The HTTP header injection vulnerability is a web application security term that refers to a situation when the attacker tricks the web application into inserting extra HTTP headers into legitimate HTTP responses. HTTP header injection is a technique that can be used to facilitate malicious attacks such as cross-site scripting, web cache poisoning, and more. These, in turn, may … Continue reading What is HTTP header injection

What Is Forced Browsing

Forced browsing, also called forceful browsing, is an attack technique against badly protected websites and web applications, which allows the attacker to access resources that they should not be able to access. Such resources may contain sensitive information. Forced browsing is a common web application security issue caused by careless coding. Forced browsing is formally … Continue reading What Is Forced Browsing

The Heartbleed Bug – Old Bugs Die Hard

You would think that after several years, a well-known security vulnerability should no longer be found in production systems. It may, therefore, come as a surprise that famous Internet security issues such as the Heartbleed vulnerability linger on for many years after they have been fixed. Don’t believe us? See this Shodan report. There are many … Continue reading The Heartbleed Bug – Old Bugs Die Hard

Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header

Modern browsers use the Same-Origin Policy (SOP) by default which means that fetching resources from other origins is not allowed. However, in some situations, such operations are necessary. Cross-Origin Resource Sharing (CORS) was designed to address such situations using HTTP response headers, which include Access-Control-Allow-Origin. What Is Same-Origin Policy Same-Origin Policy (SOP) is a general web … Continue reading Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header

The HttpOnly Flag – Protecting Cookies against XSS

Cross-site scripting (XSS) attacks are often aimed at stealing session cookies. In such an attack, the cookie value is accessed by a client-side script using JavaScript (document.cookie). However, in everyday use, web applications rarely need to access cookies via JavaScript. Therefore, a method of protecting cookies from such theft was devised: a flag that tells the … Continue reading The HttpOnly Flag – Protecting Cookies against XSS

SQL Injection Cheat Sheet for Developers

In this cheat sheet, we will assume that: You are a developer or you know programmingYou have limited web application security knowledgeYou need to know how SQL injection attacks happenYou need to know how to fix SQL injection issues in your code In this cheat sheet, you will learn: How do malicious hackers conduct SQL … Continue reading SQL Injection Cheat Sheet for Developers