imperva.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-17.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-17 2026 | OSINT Techniques & Tools (Imperva)OSINT | Library for open-source intelligence (OSINT) techniques and tools, detailing how both defenders and attackers leverage publicly available information for security purposes. It covers passive, semi-passive, and active collection methods, highlighting popular tools like Maltego and Spiderfoot. The library also touches on the role of artificial intelligence in enhancing OSINT capabilities and its use in identifying risks such as unpatched software, open ports, and leaked credentials on platforms like GitHub and LinkedIn. |
| 2026-04-10 2026 | What is BOLA - ImpervaAuthZ | Guide to Broken Object Level Authorization (BOLA), a top OWASP API security risk. BOLA occurs when applications fail to verify user authorization for specific data objects, allowing access to sensitive information or unauthorized actions. The guide details how attackers identify vulnerabilities by manipulating object references, such as sequential IDs in URLs or GraphQL mutations, leading to data breaches and compliance failures under regulations like GDPR and HIPAA. Prevention strategies include applying proper access controls, mapping users to accessible objects, implementing robust authentication, using non-guessable IDs, and leveraging API gateways. |
| 2026-04-10 2026 | CSRF: Cross Site Request Forgery Example - ImpervaCSRF | Library for detecting and preventing Cross-Site Request Forgery (CSRF) attacks, detailing how these attacks trick users into performing unwanted actions via forged requests embedded in links or forms. The resource highlights common CSRF attack vectors, using a bank transfer example, and discusses mitigation techniques such as unique session tokens, double cookie submission, and custom rules like those found in Imperva's IncapRules engine, which can filter requests based on HTTP referrer headers to counter social engineering. |
| 2026-04-10 2026 | GraphQL API Vulnerabilities and Common AttacksGraphQL | Library detailing GraphQL API vulnerabilities, including introspection attacks, excessive error suggestions, denial of service via batching and alias overloading, and injection and broken authentication/authorization. It highlights the potential for attackers to exploit GraphQL's flexibility, schema introspection, and tools like GraphiQL for information gathering and disruption. Recommendations include disabling introspection and GraphiQL in production, masking verbose errors, and limiting or disabling query batching to mitigate these risks. |
| 2026-04-03 2026 | What is XXE (XML External Entity) | Examples & Prevention | ImpervaXXE | Library on XXE (XML External Entity) vulnerabilities, detailing attack vectors and mitigation strategies. The content explains how XXE flaws arise from the parsing of XML input containing external entities, enabling attackers to exfiltrate sensitive data, perform denial-of-service attacks, and even interact with internal systems or the underlying operating system. Prevention methods emphasize disabling external entity processing in XML parsers and implementing input validation. |
| 2026-04-03 2026 | GraphQL Vulnerabilities and Common Attacks Seen in the Wild | ImpervaGraphQL | Library for identifying GraphQL vulnerabilities and common attacks seen in the wild. It covers common attack vectors such as introspection abuse, denial-of-service, and unauthorized data exposure, offering insights into how these vulnerabilities are exploited in real-world scenarios. The library aims to aid developers and security professionals in understanding and mitigating risks associated with GraphQL implementations. |
| 2023-01-23 2023 | Server-Side Request Forgery (SSRF) | Common Attacks & Risks | ImpervaSSRF | Guide to Server-Side Request Forgery (SSRF) attacks, detailing how attackers leverage application functionality to access internal data and services. It covers risks like data exposure (e.g., Amazon EC2 instance credentials via 169.254.169.254), reconnaissance of internal networks, port scans (Cross-Site Port Attacks), denial of service, and remote code execution, particularly against services like Redis. The guide differentiates between server-side and back-end SSRF, emphasizing that while blacklists are often ineffective, whitelisting IP addresses/DNS names and disabling unused URL schemas are key mitigation strategies. |