Posts tagged AppSpider

3 min Javascript

Web Application Security Testing: Single Page Applications Built with JavaScript Frameworks

In recent years, more and more applications are being built on popular new JavaScript frameworks like ReactJS and AngularJS. As is often the case with new application technologies, these frameworks have created an innovation gap for most application security scanning solutions and an acute set of challenges for those of us who focus on web application security [https://www.rapid7.com/solutions/web-application-security.jsp]. It is imperative that our application security testing approaches keep p

4 min Javascript

AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS

Today, Rapid7 is pleased to announce an AppSpider [https://www.rapid7.com/products/appspider/] (application security scanning) update that includes enhanced support for JavaScript Single Page Applications (SPAs) built with ReactJS. This release is significant because SPAs are proliferating rapidly and increasingly creating challenges for security teams. Some of the key challenges with securing SPA's are: 1. Diverse frameworks - The diversity and number of JavaScript frameworks contributes

2 min AppSpider

Validate Web Application Security Vulnerabilities with AppSpider's New Chrome Plug-In

AppSpider's Interactive Reports Go Chrome We are thrilled to announce a significant reporting enhancement to AppSpider, Rapid7's dynamic application security scanner [https://www.rapid7.com/products/appspider/]. AppSpider now has a Chrome Plug-in that enables users to open any report in Chrome and be able to use the real-time vulnerability validation feature without the need for Java or having to zip up the folder and send it off. This makes reporting and troubleshooting even easier! Enabling

3 min AppSpider

RESTful Web Services: Security Testing Made Easy (Finally)

AppSpider's got even more Swagger now! As you may remember, we first launched improved RESTful web services security testing [/2015/12/17/appspider-s-got-swagger-the-first-end-to-end-security-testing-for-rest-apis] last year. Since that time, you have been able to test the REST APIs that have a Swagger definition file, automatically without capturing proxy traffic. Now, we have expanded upon that functionality so that AppSpider can automatically discover Swagger definition files as part of the

3 min Application Security

Lessons Learned in Web Application Security from the 2016 DBIR

We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about! We also polled our robust Rapid7 Community asking them what they have learned from the 2016 DBIR. We wanted to share some of their comments as well: Quick Insights from the Rapid7 Community > "I find that the Verizon Data Breach Investigati

2 min Exploits

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen [https://twitter.com/sectooladdict], an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI [http://tecapi.com/public/relative-vulnerability-rating-gui.jsp] , WAVSEP [https://github.com/sectooladdict/wavsep] and WAFEP [https://sourceforge.net/projects/wafep/] benchmarks. Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social attacks more appealing? While reading t

3 min AppSpider

2016 DBIR & Application Security: Let's Get Back to the Basics Folks

This is a guest post from Tom Brennan [https://www.linkedin.com/in/tombrennan], Owner of ProactiveRISK [http://www.proactiverisk.com/] and serving on the Global Board of Directors for the OWASP Foundation. [http://www.owasp.org/] In reading this year's Verizon Data Breach Investigations Report, one thing came to mind: we need to get back to the basics. Here are my takeaways from the DBIR. 1. Remain Vigilant Recently, data relating to 1.5 million customers of Verizon Enterprise [http://krebsons

3 min Application Security

3 Web App Sec-ian Takeaways From the 2016 DBIR

This year's 2016 Verizon Data Breach Report [/2016/05/02/web-application-security-insights-from-the-2016-verizon-dbir] was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second order vulnerabilities as well as how Single Page Applications are affecting application security programs.  The following three takeaways are my gut reaction thoughts on th

2 min Verizon DBIR

The 2016 Verizon Data Breach Investigations Report (DBIR) - A Web Application Security Perspective

The 2016 Verizon Data Breach Investigations Report [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/] (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security takeaways, but we also have gathered guest posts from industry experts. Keep checking back this week to hear from people living at the front lines of web application secur

3 min AppSpider

Modern Applications Require Modern Dynamic Application Security Testing (DAST) Solutions

Is your Dynamic Application Security Testing (DAST) solution leaving you exposed? We all know the story of the Emperor's New Clothes. A dapper Emperor is convinced by a tailor that he has the most incredible set of clothes that are only visible to the wise. The emperor purchases them, but cannot see them because it is just a ruse. There are no clothes. Unwilling to admit that he doesn't see the clothes, he wanders out in public in front of all of his subjects, proclaiming the clothes' beauty unt

6 min API

AppSpider's Got Swagger: The first end-to-end security testing for REST APIs

We are thrilled to announce a major new innovation in application security testing. AppSpider is the first Dynamic Application Security Testing (DAST) solution capable of testing Swagger-enabled APIs. Swagger is one of the most popular frameworks for building APIs and the ability to test Swagger-enabled APIs is not only a huge time savings for application security testing experts, but also enables Rapid7 customers to more rapidly reduce risk. Why does this matter? Modern applications make liber

2 min Exploits

Why SQL Injection Vulnerabilities Still Exist: 8 Reasons Developer's Can't Eliminate Them

Knowing how to prevent a SQL injection vulnerability is only half the web application security battle. A multitude of factors come into play when it comes to writing secure code, many of which are out of the developers' direct control. That's why common vulnerabilities like SQL injection continue to plague today's applications, and why application security testing software is so important. These problems can be overcome – with a little insight, organizations can begin to address these challenges

3 min AppSpider

Mobile application security: Lock the back door!

Mobile application security A few years ago, Sean Gallagher wrote this article that we believe outlines one of the most important areas of application security risk today, mobile application security. In his article for Ars Technica, “Mobile Application Security: Always Keep the Back Door Locked [http://arstechnica.com/security/2013/02/mobile-app-security-always-keep-the-back-door-locked/] ,” Gallagher outlines that its important to address mobile application security because many of the mobile

1 min AppSpider

Mobile Application Security: Think Twice Before Placing Football Bets

A version of this blog was originally posted on September 25, 2013. Have you heard about the vulnerability in the Yahoo! Fantasy Football app [https://threatpost.com/yahoo-fantasy-football-app-vulnerable-update-available/102180] ? If Knowshon Moreno's [http://www.sbnation.com/fantasy/2013/9/24/4764778/knowshon-moreno-fantasy-football-broncos-vs-raiders-recap] performance on Monday against the Oakland Raiders got you down, you might want to read this warning to fantasy football players: Don't p

2 min Application Security

3 Tips for Finding the Best Website Security Scanner

A version of this blog was originally posted on July 16, 2013 While it takes some work to find the best website security scanner for your organization, if you follow these three simple guidelines, you'll be off to a good start. Although accurate automated application security testing has been common practice for many organizations for over 10 years, it remains a very difficult and complex process. There are automation techniques that ensure a scan is as automated as possible, reduces scan time