Learn more about vulnerabilities and exploits from our dedicated security team and others.
We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application. Nokogiri is a very popular library for parsing and extracting data from XML, SAX, Reader or HTML […]
Addressing security vulnerabilities is a constant battle. It’s a race between attackers and the organizations trying to keep them out. Unfortunately, the organizations lose frequently. As former FBI director, Robert Mueller put it, “…there are only two types of companies: those that have been hacked and those that will be.” To defend your system, you […]
The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.
There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.
Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.
A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.