Category

OWASP

Category

In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector.  On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We…

GraphQL is an alternative to the REST concept that allows working with the data in a more structured and object-oriented way. This technology is very famous and used by many enterprise companies such as Facebook, Walmart, Intuit among other. Whether you know it or not, GraphQL has a significant impact on your business. Many products you rely on, such as GitLab, New Relic, and WordPress use GraphQL under the covers. In this series of articles,…

When it comes to XXE issues, hackers have multiple ways to take advantage of WAF configurations. We are going to show you four ways hackers trick WAFs, sneaking XXE issues past their defenses. 4 hacker XXE methods for bypassing WAFs: Extra document spaces Invalid format Exotic encodings One doc: two types of encoding Once you understand the issue, you should be able to restore the fire to your defenses. We will show you how. A…

In a recent article published by Security Boulevard, we talked about OWASP Top 10 Risk classification and overlap. In this post, we will examine tools that allegedly help address these risks. You may be at more risk than you’ve been lead to believe. The following is an OWASP Risk Overlap diagram (based on the Security Boulevard article) will be used to illustrate different threat intelligence and detection mechanisms. The following color-coded visual aids help understand…

The Journey to the New and Improved Ten Most Critical Web Application Security Risks It was not too long ago that protecting your web server infrastructure consisted of simply placing the server(s) in their own zone behind the firewall and just opening a couple of ports. Outside of endpoint protection, that was pretty much the formula. That, however, was in a static HTML world. Today, thanks to the fruition of the web application and how it…