Security Penetration Testing Blog

File Inclusion
Apr 02, 2021 / Borislav Kiprin

A file inclusion allows the attacker to include arbitrary files into the web application, which can result in the exposure of sensitive files. This article describes, how you can efficiently prevent file inclusions.

Command Injection
/ Borislav Kiprin

A command injection vulnerability allows an attacker to execute arbitrary system commands, which can result in an entire takeover of the webserver. Learn here, how you can prevent command injections.

SQL Injections
/ Borislav Kiprin

An SQL injection allows an attacker to run arbitrary SQL code in the database which may allow him to retrieve, change or delete data from the database.

Cross-Site Scripting (XSS)
/ Borislav Kiprin

Cross-site scripting is the injection of client-side scripts into web applications, which is enabled by a lack of validating and correctly encoding user input. Learn here, how you can efficiently fix XSS vulnerabilities.

Cross-Site Request Forgery (CSRF)
/ Borislav Kiprin

Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. Read here, how you can efficiently fix a CSRF vulnerability.

Broken Authentication and Session Management
/ Borislav Kiprin

Broken Authentication and Session Management could lead to exposed user data, such as credentials or critical private data. It could also allow for privilege escalation attacks.

Insecure Deserialization
/ Borislav Kiprin

Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application.

Fuzzer (Sensitive Data Exposure)
/ Borislav Kiprin

Fuzzing is a technique where invalid, random or unexpected data is used to produce either unexpected states or gain access to hidden features.

XML External Entity XXE Processing
/ Borislav Kiprin

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Prevent Web Server Information Leakage
/ Borislav Kiprin

Obtaining information about the used webserver is a crucial task for any attacker. There may be vulnerabilities in a certain web server version that allow an attacker easy access to the server. Learn how you can prevent them!