Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

RIPS and SonarSource are Joining Forces

1 min read 13 May 2020 by Johannes Dahse
Today we celebrate a key milestone in our company’s history: RIPS Technologies has been acquired by SonarSource, the company behind the popular developer products SonarQube, SonarCloud and SonarLint. We are joining forces with our full team to combine the best breed of both static analysis companies and to begin a new era of SAST solutions.

ImpressCMS 1.3.11 - Why you should not trust PHP_SELF

6 min read 24 Mar 2020 by Sebastian Fabry
ImpressCMS is a free, community-driven content management system written in PHP, which considers itself to be secure, fast, and modular. This post shows us that inconspicuous variables may be under the influence of the user and thus can result in critical security vulnerabilities.

RIPS Scores a Perfect 100% at OWASP Benchmark

21 min read 10 Mar 2020 by Malte Skoruppa
The OWASP Benchmark suite aims at measuring the quality of vulnerability detection tools by exposing both actual and false vulnerabilities within hundreds of test cases. Our SAST solution RIPS is able to achieve 100% true positives at 0% false positives for this suite—something no other SAST solution has achieved so far. In this blog post, we publish our results and discuss the pros and cons of popular benchmark suites.

Exploiting Hibernate Injections

9 min read 25 Feb 2020 by Robin Peraglie, Johannes Moritz
Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.

RIPS 3.4 Supports Node.js Security Analysis

4 min read 17 Feb 2020 by Martin Bednorz
We are very proud to announce a new product release today: RIPS 3.4 adds support for in-depth security analysis of Node.js applications! Our unique rapid code patching technology now generates code fixes specific to your framework. New security summary reports keep you up-to-date via email. Our Java and PHP engine have been significantly improved, as well as our Data Center Edition. Find out more!