Zip file overwrites are a cool but rare vulnerability that can occur on apps that work with user-supplied zip files. The folks at Snyk recently found a slew of libraries that do that, and there is a lot of history in this attack vector. In fact,..
Zip file overwrites are a cool but rare vulnerability that can occur on apps that work with user-supplied zip files. The folks at Snyk recently found a slew of libraries that do that, and there is a lot of history in this attack vector. In fact,..
If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body,..
It's hard to overstate what's happening here. The FBI, New York and Massachusetts Attorneys General, and Congress are now running inquiries into the Equifax breach. More will come. It's clear that the U.S. economy will change in some way as a result..
On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12..
On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.
I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.
So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.
Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time.
It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well.
In fact, it doesn’t really verify you are who the client..
I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.
NOTE: Before you begin reading, you may want to visit the first article in this series: Serialization Must Die: Act 1: Kryo. That piece frames some of the discussion for this current blog.
XStream is a popular deserialization library. It’s used..
"When we instrumented applications at the UK's largest Government Department with Contrast Assess, it was like handing our project teams an incredibly powerful debugging agent containing the sum total of application security knowledge.”
Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
