web applications Archives

Exploring the OWASP Software Assurance Maturity Model (SAMM)

Articles, Information Assurance, Web Applications / Ian Reynolds

The OWASP Software Assurance Maturity Model (SAMM) was first introduced in 2009 by Pravir Chandra as a practical guide to developing secure software. Since its inception, SAMM has evolved to keep pace with emerging technologies, threats, and industry standards. The most recent iteration of SAMM (Version 2.0), refines its structure and expands its applicability to […]

Exploring the OWASP Software Assurance Maturity Model (SAMM) Read More »

What is the Spring4Shell vulnerability?

News, Vulnerabilities / Ian Reynolds

Spring is a popular enterprise grade application framework for Java, and Spring4Shell is the name given to a remote code execution vulnerability disclosed at the end of March. There has been a lot of hype and confusion in the tech press surrounding this vulnerability, including confusing it with a CVE for Spring Cloud Function which

What is the Spring4Shell vulnerability? Read More »

Chrome leads the way with security changes

News, Tools / Ian Reynolds

Starting in March 2022, Google Chrome will start supporting the new Private Network Access standard which will help protect local network devices from malicious internet traffic. Private Network Access, or PNA, will prevent malicious websites from using the victim’s browser as a proxy to relay cross-site request forgery attempts to devices on the user’s local

Chrome leads the way with security changes Read More »

What is HTTP request smuggling?

Articles, Web Applications / Ian Reynolds

Long considered a theoretical attack, HTTP request smuggling is now ‘soaring in popularity’ according to a new research paper published this month. What is HTTP request smuggling and what risk does it pose to your network? HTTP Request Smuggling (HRS) was first documented back in 2005. It is made possible by the way different web

What is HTTP request smuggling? Read More »

Palo Alto Networks patches VPN/Firewalls

News, Vulnerabilities / Ian Reynolds

Palo Alto Networks has released a critical patch for their firewalls with GlobalProtect Portal or Gateway interfaces. With a critical severity rating of 9.8, this memory corruption vulnerability could allow an attacker to execute remote code on the firewall with root privileges. According to the security advisory published by Palo Alto Networks: This issue is

Palo Alto Networks patches VPN/Firewalls Read More »

Windows Containers and Kubernetes under attack

News, Vulnerabilities / Ian Reynolds

Microsoft has warned that Kubernetes clusters are being targeted in a cryptomining attack while Palo Alto Networks has identified the first malware that targets Windows Containers – in order to compromise the Kubernetes clusters that host them. Cryptomining on Kubernetes Kubeflow is a popular framework for deploying Machine Learning workloads in a Kubernetes environment. Microsoft

Windows Containers and Kubernetes under attack Read More »

HPE patches RCE 0day in SIM software

News, Vulnerabilities / Ian Reynolds

Hewlett Packard Enterprise has released a patch to fix a critical remote code execution vulnerability in the Windows version of their System Insight Manager. The bug in the Federated Search and CMS Configuration (CVE-2020-7200) feature of version 7.6.x of HPE SIM, has a critical CVSS score of 9.8. According to the security advisory from HPE,

HPE patches RCE 0day in SIM software Read More »

Users of TOR network hit by man-in-the-middle attacks

News, Vulnerabilities / Ian Reynolds

Over 25% of the TOR network exit nodes have been under the control of malicious actors who are performing man-in-the-middle attacks against network users. What is the TOR Network The TOR Network is a volunteer run network of relay servers that aims to provide anonymous and secure internet access that prevents its users from being

Users of TOR network hit by man-in-the-middle attacks Read More »

What is a Pass-The-Cookie Attack?

Articles, Web Applications / Ian Reynolds

By using Pass-the-cookie techniques, attackers can access web applications without knowing a userid, password or even the one-time password from a multi-factor system. And if the web application in question is the management console for your AWS, Google or Azure environment then they stolen have the keys to your kingdom. In January 2021, CISA drew

What is a Pass-The-Cookie Attack? Read More »

Browsers block more ports to prevent NAT Slipstream attacks

News, Tools / Ian Reynolds

Web browsers are adding more TCP ports to their block lists in an attempt to prevent exploitation of NAT Slipstream attacks. NAT Slipstreaming is an attack which tricks the NAT router into allowing external traffic through the NAT firewall to target any internal network device by abusing protocols such as SIP or H.323 where this

Browsers block more ports to prevent NAT Slipstream attacks Read More »

web applications

Exploring the OWASP Software Assurance Maturity Model (SAMM)

What is the Spring4Shell vulnerability?

Chrome leads the way with security changes

What is HTTP request smuggling?

Palo Alto Networks patches VPN/Firewalls

Windows Containers and Kubernetes under attack

HPE patches RCE 0day in SIM software

Users of TOR network hit by man-in-the-middle attacks

What is a Pass-The-Cookie Attack?

Browsers block more ports to prevent NAT Slipstream attacks

Our Address

Talk to us

Office Hours

Company Number

VAT Registration Number

Penetration Testing

Risk & Compliance Services

Quick Links

information. secured.

Head Office Address

Opening Hours

Stay in Touch