Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

Security Testing Plugin for Maven & Gradle

5 min read 5 Feb 2019 by Julian Karl, Amin Dada
We are pleased to announce integration support for the two major build automation tools Apache Maven and Gradle. Both plugins enable to add our static code analysis solution to your build process and to provide a streamlined way to configure and start a new security scan for your Java applications.

CTF Writeup: Complex Drupal POP Chain

10 min read 29 Jan 2019 by Simon Scannell
A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.

Learnings from WordPress Security Month

9 min read 15 Jan 2019 by Simon Scannell
Last year in December we released once a day a vulnerability affecting WordPress core or one of the most popular WordPress plugins, next to a critical persistent XSS in wordpress.org. This blogpost will summarize common mistakes developers make and the overall impact our advent calendar had on the WordPress community and the current state of WordPress security.

RIPS 3.0 Supports Java Security Analysis

5 min read 7 Jan 2019 by Martin Bednorz
We are excited to start the year 2019 with a new major release and milestone. RIPS 3.0 adds support for analyzing Java code for security and quality issues. Find out more about our unique code analysis approach and other new RIPS features.

Wormable Stored XSS on WordPress.org

10 min read 24 Dec 2018 by Karim El Ouerghemmi
The WordPress.org website holds the repositories for all plugins and themes that are used by all WordPress sites. Furthermore, it manages the accounts that developers use to edit the code of their themes and plugins. In this blog post, we investigate a critical stored XSS vulnerability on the WordPress.org website we have reported to the WordPress security team in May 2018.