Web Security Blog | Acunetix

IIS security best practices: How to secure an IIS server and web applications

Zbigniew Banach — Wed, 27 May 2026 14:24:58 +0000

Learn how to secure Microsoft IIS with practical hardening best practices, attacker-focused insights, and continuous validation strategies. This guide covers common IIS misconfigurations, real-world exploitation techniques, and how to protect web applications running on IIS servers.

The post IIS security best practices: How to secure an IIS server and web applications appeared first on Acunetix.

SNI proxy SSRF vulnerabilities: Misconfigurations, exploitation, and defense

Zbigniew Banach — Tue, 26 May 2026 11:20:02 +0000

SNI proxy SSRF is a lesser-known but high-impact vulnerability class where misconfigured proxies route traffic based on attacker-controlled TLS metadata. Under specific conditions, this can expose internal services and even cloud metadata endpoints in AWS and Azure. This article explains how these attacks work, when they are exploitable, and how to defend against them.

The post SNI proxy SSRF vulnerabilities: Misconfigurations, exploitation, and defense appeared first on Acunetix.

What is an IDOR vulnerability?

Zbigniew Banach — Fri, 22 May 2026 12:00:43 +0000

Insecure direct object references (IDOR) are a type of access control vulnerability where an application exposes internal object identifiers – such as user IDs, order numbers, or file names – without verifying whether the requesting user is authorized to access them. IDOR is no longer...

The post What is an IDOR vulnerability? appeared first on Acunetix.

Your session cookies are probably misconfigured: How to fix cookie security flags

Zbigniew Banach — Thu, 21 May 2026 10:19:10 +0000

Understand how to correctly implement cookie security flags in modern web applications. Includes practical examples, browser behavior nuances, and guidance on HttpOnly, Secure, and SameSite settings.

The post Your session cookies are probably misconfigured: How to fix cookie security flags appeared first on Acunetix.

REST API security testing: A complete guide

Jesse Neubert — Mon, 18 May 2026 12:00:01 +0000

Learn how to perform REST API security testing with a practical, step-by-step approach. This guide covers the OWASP API Security Top 10, common vulnerabilities, and proven techniques to discover, test, and validate real API risks using modern automated tools.

The post REST API security testing: A complete guide appeared first on Acunetix.

Configuring your web server to not disclose its identity

Nicholas Sciberras — Mon, 11 May 2026 08:30:06 +0000

If you are running a web server, it often shows the world what type of server it is, its version number, and sometimes even the operating system. This information is exposed in HTTP response headers and can be obtained with a simple request using a...

The post Configuring your web server to not disclose its identity appeared first on Acunetix.

Acunetix Security Hardening Guide

Ian Muscat — Tue, 05 Aug 2025 06:29:16 +0000

A new document was prepared instead of this blog post. You can find it here.

The post Acunetix Security Hardening Guide appeared first on Acunetix.

Next.js middleware authorization bypass vulnerability: Are you vulnerable?

Bogdan Calin — Tue, 25 Mar 2025 14:41:06 +0000

A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summarizes what we know about CVE-2025-29927, how you can mitigate the vulnerability, and how Acunetix can help you detect and confirm your organization’s risk.

The post Next.js middleware authorization bypass vulnerability: Are you vulnerable? appeared first on Acunetix.

Top 10 dynamic application security testing (DAST) tools for 2025

Zbigniew Banach — Thu, 20 Mar 2025 11:26:23 +0000

This guide explores the top 10 DAST tools for 2025, highlighting the best commercial solutions as well as open-source options. Learn how the right tools can help you build DAST-first AppSec to secure your applications in production, integrate with DevSecOps, and minimize your web application security risk.

The post Top 10 dynamic application security testing (DAST) tools for 2025 appeared first on Acunetix.