appsec.fyi · Sources

acunetix.com

8 curated AppSec resources from acunetix.com across 6 topics on appsec.fyi.

acunetix.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.

XSS 3 CSRF 1 Deser 1 JWT 1 SSRF 1 SSTI 1
Date Added Resource Excerpt
2026-04-19 2026JSON Web Token Attacks and Vulnerabilities — AcunetixJWTLibrary provides a deep dive into JSON Web Token (JWT) attacks and vulnerabilities, detailing the structure of JWTs and common exploitation techniques like failing to verify signatures, allowing the "None" algorithm, and algorithm confusion. It explains how attackers can bypass signature verification through these flaws to gain unauthorized access or elevate privileges, emphasizing the critical need for proper implementation and validation of JWTs.
2026-04-19 2026Insecure Deserialization Vulnerabilities — AcunetixDeserReference list of web vulnerability categories, including Insecure Deserialization, SSRF, SQL Injection, XSS, XXE, and LLM-related issues like LLM Prompt Injection and LLM Sensitive Information Disclosure, with severity ratings.
2026-04-11 2026Exploiting SSTI in ThymeleafSSTIWriteup detailing Server-Side Template Injection (SSTI) vulnerabilities in the Thymeleaf template engine for Java. It covers Thymeleaf's expression types, including variable expressions vulnerable to OGNL or Spring EL, and the "expression preprocessing" feature. A real-world example is demonstrated within the PetClinic application, showing how controlling the `path` variable in a specific fragment can lead to arbitrary expression execution and potentially Remote Code Execution (RCE) when running on Jetty.
2026-04-10 2026What is CSRF? Attacks, Mitigation, Prevention - AcunetixCSRFReference on Cross-Site Request Forgery (CSRF), detailing its mechanism of tricking authenticated users into performing unintended actions, often via social engineering or malicious links. It highlights how CSRF leverages session cookies to bypass authentication, affecting state changes in web applications. The entry explains CSRF execution through both GET and POST requests, providing examples using HTML tags and JavaScript. It also touches upon prevention mechanisms like referer headers and custom X-Requested-With headers.
2026-04-10 2026XSS Filter Evasion: How Attackers Bypass XSS FiltersXSSTechnique for bypassing cross-site scripting (XSS) filters by exploiting browser parsing quirks and encoding methods. Attackers leverage HTML event handlers, JavaScript syntax variations, and malformed HTML to execute malicious scripts, as simple pattern matching and blacklisting prove insufficient. Techniques like URL encoding and HTML entity encoding are used to disguise payloads, making them undetectable by basic filters, and highlighting the necessity of layered security beyond just filtering.
2025-08-14 2025What is Cross-site Scripting and How Can You Fix it?XSSGuide to Cross-Site Scripting (XSS) explaining how attackers inject malicious scripts into legitimate web pages to execute code in a victim's browser. It details risks like cookie theft, website defacement, and advanced attacks such as phishing and identity theft. The guide categorizes XSS into stored, reflected, and DOM-based types, illustrating how vulnerabilities arise from unsanitized user input and providing examples of attack vectors, including using the `<script>` tag and manipulating `XMLHttpRequest`.
2025-08-14 2025What is server-side request forgery (SSRF)? | AcunetixSSRFReference on Server-Side Request Forgery (SSRF) detailing its OWASP Top 10 classification and use in breaches like Capital One and MS Exchange. It explains how SSRF allows attackers to send crafted requests from a vulnerable back-end server, targeting internal systems or loopback interfaces. Techniques discussed include exploiting URL schemas like `file:///` and `dict://`, accessing cloud metadata such as AWS EC2, and potential escalation to RCE. Mitigation strategies involve whitelisting hostnames/IPs, proper input validation, disabling unused URL schemas, and enabling authentication on internal services. Detection relies on out-of-band scanning, with Acunetix utilizing AcuMonitor.
2016-05-19 2016What is Cross-site Scripting and How Can You Fix it?XSSLibrary summarizing Cross-Site Scripting (XSS) vulnerabilities, detailing common attack vectors like stored, reflected, and DOM-based XSS. It explains how unsanitized user input leads to JavaScript injection, enabling attackers to steal session cookies, deface websites, and perform actions like phishing and identity theft through techniques like payload injection via script tags and redirecting users to malicious URLs.