Category

OWASP

Category

Wallarm has rolled out the update to detect and mitigate CVE-2021-44228. No additional actions are required from the customers Attempts at exploitation will be automatically blocked in a blocking mode When working in a monitoring mode, consider creating a virtual patch Log4Shell A 0-day exploit in the Java core library log4j was discovered that results in Remote Code Execution (RCE) by simple 1-line exploit with JNDI URL. Given how ubiquitous this library is, the impact…

We all know how it’s convenient to use tools like Sentry or Datadogs for JavaScript events monitoring. It allows to catch errors in real-time, organize and manage issues resolution process, and genuinely shift left operations to developers. But Wallarm security experts warn of dangerous patterns to use such tools integrated into UI since it can cause private data-stealing from authenticated users in an almost invisible way. This article will explain how it could happen and…

In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector. On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We…

GraphQL is an alternative to the REST concept that allows working with the data in a more structured and object-oriented way. This technology is very famous and used by many enterprise companies such as Facebook, Walmart, Intuit among other. Whether you know it or not, GraphQL has a significant impact on your business. Many products you rely on, such as GitLab, New Relic, and WordPress use GraphQL under the covers. In this series of articles,…

When it comes to XXE issues, hackers have multiple ways to take advantage of WAF configurations. We are going to show you four ways hackers trick WAFs, sneaking XXE issues past their defenses. 4 hacker XXE methods for bypassing WAFs: Extra document spacesInvalid formatExotic encodingsOne doc: two types of encoding Once you understand the issue, you should be able to restore the fire to your defenses. We will show you how. A little background on XXE…