59 results sorted by date ↓
vuln
Host Header Injection: Password Reset Poisoning, Cache Deception, and SSRF

The HTTP Host header controls where the server thinks the request arrived from — and most web frameworks trust it implicitly. Host header injection is the entry point for password reset link poisoning, web cache deception, and server-side request forgery attacks. Here's how each variant works and how to fix them.

vuln
Session Fixation and Cookie Security: The Vulnerabilities Developers Still Get Wrong

Session fixation lets attackers pre-set a victim's session identifier before authentication, then hijack the authenticated session. Cookie security attributes — Secure, HttpOnly, SameSite — prevent a separate set of attacks that are easy to introduce accidentally. Here's how to get both right.

vuln
Open Redirect Vulnerabilities: Detection, Exploitation, and Prevention

Open redirects are dismissed as low-severity but are routinely chained into phishing, OAuth token theft, and SSRF escalation paths. This guide covers the vulnerability class, real exploit chains, and secure redirect patterns in Python, JavaScript, and Go.

guide
HTTP Parameter Pollution: How Duplicate Parameters Break Application Security Logic

HTTP Parameter Pollution (HPP) exploits inconsistent handling of duplicate request parameters across web frameworks and intermediary systems. It's a reliable technique for WAF bypass, OAuth manipulation, and backend logic abuse. This guide covers the attack mechanics, framework-specific behaviour, and prevention.

vuln
NoSQL Injection: MongoDB Operator Abuse and Prevention Guide

NoSQL databases are not immune to injection attacks — they just look different. MongoDB operator injection via $where, $ne, and $regex operators allows authentication bypass and data exfiltration. This guide covers attack mechanics, code examples in Node.js and Python, and parameterised query patterns that prevent injection.

guide
OWASP Top 10 2026: Software Supply Chain Failures at A03 — What Developers Must Change

The OWASP Top 10 2026 edition elevates Software Supply Chain Failures to A03, promoting it from the narrower 'Vulnerable and Outdated Components' category. CI/CD pipeline attacks are up 45% since 2022. Here's what the new category means and the specific changes development teams need to make.

vuln
Path Traversal Attacks: Prevention Patterns in Python, Node.js, Java, and Go

Path traversal (directory traversal) remains one of the most exploited vulnerability classes in web applications. This guide covers how the attack works, where developers go wrong in each major language, and concrete prevention patterns you can apply today.

vuln
Miasma: The npm Worm That Weaponised OIDC Tokens Against Red Hat Packages

Miasma is a self-propagating npm worm that abused CI/CD OIDC tokens to publish malicious versions of 32 Red Hat-maintained packages. Here's how the attack worked, what made it self-replicating, and how to defend your supply chain.

vuln
Business Logic Vulnerabilities: Testing Methodology and Secure Design Patterns

Business logic vulnerabilities bypass security controls not by exploiting technical flaws but by abusing the intended functionality of an application. They're invisible to SAST, inconsistently caught by DAST, and frequently missed in code review. This guide covers identification methodology and design-level mitigations.

vuln
gRPC Security: Authentication Gaps, Reflection Vulnerabilities, and Secure Implementation in Go and Python

gRPC's performance and cross-language support have made it the default RPC framework for microservices, but its security model is frequently implemented incorrectly. This guide covers the most common gRPC vulnerabilities — missing TLS, exposed reflection API, missing server-side auth interceptors, and large-message DoS — with secure implementation patterns in Go and Python.

vuln
Web Cache Deception: When CDNs Cache What They Shouldn't

Web cache deception exploits path parsing differences between web servers and caching layers to trick a CDN or reverse proxy into storing authenticated, private responses in public cache. Unlike cache poisoning, the attacker doesn't write to the cache — they engineer the victim's browser to do it for them.

vuln
Electron App Security: Context Isolation, nodeIntegration, and the RCE Class That Keeps Coming Back

Electron applications run Node.js in a browser context — a combination that creates a distinctive RCE vulnerability class when misconfigured. This guide covers the core security model, the common misconfigurations that lead to remote code execution, and the controls that actually fix them.

vuln
CRLF Injection and HTTP Response Splitting: What Developers Miss

CRLF injection lets attackers insert carriage return and line feed characters into HTTP headers and log files, enabling HTTP response splitting, cache poisoning, session fixation, and log forgery. This guide explains the mechanics, shows exploits in Python and Node.js, and covers the fixes.

guide
PyYAML and ruamel.yaml: Insecure Deserialization and Safe Alternatives

PyYAML's yaml.load() allows arbitrary code execution when processing untrusted input. This guide explains how the vulnerability works, demonstrates the attack, and shows the safe alternatives for PyYAML and ruamel.yaml that you should be using instead.

guide
npm Trusted Publishing and SLSA: What the Red Hat Miasma Attack Tells Us

The Miasma supply chain attack against Red Hat npm packages in June 2026 used OIDC tokens and produced valid SLSA provenance attestations on malicious packages. Here's why provenance doesn't guarantee safety and what additional controls matter.

guide
OWASP LLM Top 10: A Developer's Guide to Securing AI-Integrated Applications

The OWASP Top 10 for Large Language Model Applications catalogues the most critical security risks in LLM-powered software. This guide covers each category with concrete developer mitigations — from prompt injection and insecure output handling to model theft and supply chain vulnerabilities.

guide
API Rate Limiting and Abuse Prevention: A Developer's Implementation Guide

Rate limiting protects APIs from brute force, credential stuffing, scraping, and resource exhaustion. This guide covers the four main algorithms, Redis-based implementation patterns, and the OWASP API Security Top 10 considerations.

vuln
Broken Function Level Authorization (BFLA): Exposing Hidden Admin Endpoints in Your APIs

BFLA lets regular users call admin-only API functions simply by knowing the right URL. It's OWASP API5:2023, reliably present in enterprise APIs, and almost invisible to automated scanners. Here's how it works, where it hides, and how to eliminate it.

guide
Insecure Randomness in Token Generation: CWE-338 and Session Security

Using a cryptographically weak PRNG to generate session tokens, password reset links, or CSRF tokens is a silent vulnerability that's easy to introduce and hard to detect in code review. This guide covers where CWE-338 shows up, why Math.random() and time-seeded generators are exploitable, and how to generate tokens securely in JavaScript, Python, and Java.

vuln
Clickjacking Prevention: X-Frame-Options, CSP frame-ancestors, and SameSite

Clickjacking lets attackers trick users into clicking hidden page elements by overlaying transparent iframes on legitimate content. This guide covers the three main defences — X-Frame-Options, CSP frame-ancestors, and SameSite cookies — with implementation examples in Node.js, Python, and Java.

vuln
SAML Security Vulnerabilities: Signature Wrapping, Assertion Forging, and Secure SSO Implementation

SAML is the SSO protocol underpinning enterprise identity across thousands of applications, and its XML signature model has produced some of the most impactful authentication bypasses in enterprise security history. This guide covers XML signature wrapping, comment injection, and how to implement SAML correctly in Python and Java.

vuln
Subdomain Takeover: How Dangling DNS Records Become Account Hijacks

Subdomain takeover is a vulnerability where a DNS record points to a cloud resource that no longer exists — allowing an attacker to claim that resource and serve content from your domain. This guide covers how it works, how to find dangling records in your own infrastructure, and how to prevent it.

guide
Auditing npm Dependencies: Detecting Malicious Packages Before They Run

Malicious npm packages continue to target developer environments through typosquatting, dependency confusion, compromised maintainer accounts, and postinstall script abuse. This guide covers practical tools and techniques to catch malicious packages before they execute in your pipeline.

guide
Open Redirect Vulnerabilities: How URL Validation Failures Enable OAuth Token Theft

Open redirects are consistently underestimated in code review and penetration testing — but in OAuth 2.0 flows, a single unvalidated redirect_uri parameter can hand an attacker a victim's access token. This guide covers the vulnerability class, its exploitation in OAuth contexts, and the validation patterns that prevent it.

vuln
WebSocket Security: Cross-Site Hijacking, Authorization Bypass, and Protocol Attacks

WebSockets don't follow the same security rules as HTTP — they have no same-origin policy, skip CORS, and often receive less security scrutiny than REST endpoints. This guide covers Cross-Site WebSocket Hijacking, authorization bypass patterns, and code-level mitigations.

guide
Content Security Policy: The One Header That Stops XSS and What Developers Keep Getting Wrong

Content Security Policy is the most effective browser-enforced defence against XSS. This guide covers how to build a working CSP from scratch, avoid the nonce and hash pitfalls, and actually verify your policy does what you think it does.

vuln
NoSQL Injection: Attack Patterns, Vulnerable Code, and Prevention in MongoDB, Redis, and Elasticsearch

NoSQL databases eliminated SQL but not injection. MongoDB's query operator injection, Redis command injection via Lua, and Elasticsearch dynamic query construction each have distinct attack patterns that bypass authentication and expose data. This guide covers each with vulnerable and fixed code examples.

vuln
JWT Security: Algorithm Confusion, Weak Secrets, and the Vulnerabilities Still Hitting Production

JSON Web Tokens are the dominant stateless authentication mechanism for APIs and SPAs — and they carry a well-documented set of implementation vulnerabilities that remain common in production systems. This guide covers the attack classes, vulnerable code patterns, and secure implementations.

vuln
Web Cache Poisoning: How Unkeyed Inputs Become Stored XSS at Scale

Web cache poisoning turns unkeyed HTTP headers and parameters into a stored XSS delivery mechanism affecting every user who receives the poisoned response. This guide covers the attack mechanics, common vulnerable patterns, and how to harden your cache configuration.

guide
MCP Security for Developers: Prompt Injection, Tool Poisoning, and Supply Chain Risks in AI Tooling

The Model Context Protocol is becoming the integration layer for AI agents — and it has serious security problems developers need to understand now. This guide covers prompt injection, tool poisoning, and supply chain risks with practical mitigations.

guide
WebAuthn and Passkeys: A Developer's Security Implementation Guide

Passkeys promise phishing-resistant authentication without passwords — but incorrect WebAuthn implementations introduce subtle vulnerabilities. This guide covers the cryptographic fundamentals, implementation mistakes to avoid, and secure code patterns in JavaScript and Python.

vuln
Unrestricted File Upload: When Accepting Files Means Accepting Code Execution

File upload functionality is among the most dangerous features in web applications. Unrestricted file upload vulnerabilities allow attackers to plant web shells, bypass access controls, and achieve remote code execution. This guide covers the attack vectors, bypass techniques, and the server-side controls that actually work.

vuln
CORS Misconfiguration: How Insecure Cross-Origin Policies Lead to Credential Theft and Data Exposure

CORS misconfigurations allow attacker-controlled origins to make authenticated cross-origin requests to your API, reading responses that should be protected. From wildcard origins to null-origin acceptance, here's how misconfigured CORS policies get exploited and how to fix them with correct server-side policies and security testing.

vuln
Race Conditions in Web Applications: How TOCTOU Vulnerabilities Enable Double-Spend and Privilege Escalation

Race conditions and TOCTOU (time-of-check to time-of-use) vulnerabilities exploit the gap between a validation check and the action that depends on it — enabling double-spend attacks on financial operations, parallel account creation bypasses, and privilege escalation. This guide covers the attack patterns, real-world scenarios across REST APIs and databases, and the application-level and database-level fixes that close the race window.

vuln
ReDoS: Regular Expression Denial of Service -- How Catastrophic Backtracking Crashes Your API

ReDoS (Regular Expression Denial of Service) exploits exponential backtracking in vulnerable regex patterns to pin a CPU at 100% with a small crafted input. This guide explains the attack, identifies dangerous patterns in Python, JavaScript, and Java, and shows how to test and fix vulnerable expressions.

vuln
Server-Side Request Forgery (SSRF): Prevention for Application Developers

SSRF lets attackers redirect your application's outbound HTTP requests to internal services, cloud metadata endpoints, and private APIs. This guide covers the attack mechanics, why allowlist validation beats blocklists, and safe URL-fetching patterns in Python, Go, and Node.js.

vuln
Path Traversal Vulnerabilities: Exploitation Patterns and Secure File Handling

Path traversal (directory traversal) vulnerabilities allow attackers to read and write files outside the intended directory. This guide covers attack patterns, encoding bypasses, and secure file handling in Python, JavaScript, Java, and Go.

vuln
AI-Generated Code and AppSec: The Blind Spots Your SAST Tool Won't Catch

Over 90% of development teams now use AI coding assistants. But AI-generated code introduces a new class of security blind spots — subtle, plausible-looking code that passes standard SAST scans while embedding vulnerabilities that a senior developer would catch on review. Here is what to look for and how to build checks that actually work.

vuln
CORS Misconfiguration: How Broken Cross-Origin Policies Lead to Credential and Data Theft

CORS misconfigurations are among the most consistently exploited web application vulnerabilities. A single overly permissive header can allow any website to read authenticated API responses on behalf of your users.

vuln
Mass Assignment: How Attackers Use Your Own API to Escalate Privileges

Mass assignment vulnerabilities let attackers modify object properties they were never meant to touch — including role, isAdmin, and account balance. How the attack works, how frameworks enable it by default, and how to fix it in Node.js and Python.

vuln
GraphQL Security: Introspection Abuse, Batching Attacks, and Authorization Failures Developers Miss

GraphQL introduces a distinct attack surface compared to REST — introspection exposes the full schema, batching enables rate limit evasion, and field-level authorization is easy to miss. This guide covers the common vulnerabilities and how to fix them.

vuln
HTTP Request Smuggling: The Reverse Proxy Vulnerability Your WAF Won't Catch

HTTP request smuggling exploits disagreements between how front-end proxies and back-end servers parse HTTP/1.1 message boundaries, allowing attackers to poison request queues, bypass access controls, and hijack user sessions. Here's the technical breakdown and how to test for it.

vuln
XXE Injection: Parsing XML Safely in Java, Python, and Node.js

XML External Entity injection lets attackers read arbitrary files, perform SSRF, and in some configurations achieve remote code execution -- entirely through the XML parser. Here's how the attack works and how to shut it down in three languages.

vuln
CVE-2025-47411 and the Class: Server-Side Template Injection (SSTI) Prevention

Server-side template injection lets attackers execute arbitrary code by injecting template syntax into inputs that get evaluated by the server's template engine. Here's how it works across Jinja2, Twig, and Freemarker -- and how to prevent it.

vuln
OAuth 2.0 Security: The Authorization Vulnerabilities Developers Miss

OAuth 2.0 is ubiquitous but widely misimplemented. This guide covers the most common vulnerabilities -- missing state parameters, open redirect_uri, implicit flow token leakage, and PKCE gaps -- with code examples showing what to fix.

vuln
Slopsquatting: When AI Hallucinations Become a Supply Chain Attack

How attackers register package names that AI coding assistants invent, and what developers can do to protect their pipelines from this emerging supply chain threat.

guide
HTTP Security Headers in 2026: What to Set, What to Skip, and What You're Probably Getting Wrong

Content-Security-Policy, HSTS, COOP, COEP, and Permissions-Policy explained with concrete examples. Learn what each header actually does, which common misconfigurations defeat the protection, and how to implement the right stack for your application.

vuln
Prototype Pollution in JavaScript: How It Works and How to Prevent It

Prototype pollution lets attackers inject properties into Object.prototype, affecting every object in a Node.js process. This guide covers the attack mechanics, real-world exploitation paths, and concrete defensive patterns for JavaScript and Node.js applications.

vuln
SSRF in 2026: Attack Patterns, Cloud Metadata Exploitation, and Defence-in-Depth

Server-side request forgery attacks surged 452% between 2023 and 2024. This guide covers modern SSRF techniques -- including cloud metadata pivots and blind SSRF -- with secure code patterns in Python and Node.js.

vuln
CSRF Prevention -- Tokens, SameSite Cookies, and the Patterns That Actually Work

Cross-Site Request Forgery remains a top web vulnerability despite years of awareness. This guide covers the attack mechanics, why naive defences fail, and the complete modern prevention stack including CSRF tokens, SameSite cookies, and custom request headers.

vuln
Command Injection: Shell Escape to Code Execution

How OS command injection works, why shell metacharacters are dangerous, and how to eliminate the vulnerability in Python, Node.js, and Go with safe subprocess patterns.

vuln
IDOR and Broken Access Control: Detection and Prevention

Insecure Direct Object References and other Broken Access Control patterns are the most common source of account takeover bugs. Here is how to find and fix them.

vuln
Cross-Site Scripting (XSS): Prevention Patterns for Modern Web Apps featured

Reflected, stored, and DOM-based XSS explained with real exploit chains and prevention patterns for JavaScript, React, Node.js, and Python.

vuln
SQL Injection Prevention: A Complete Developer Guide featured

Parameterised queries, ORM pitfalls, and blind SQLi detection patterns to protect your application data.

guide
Secrets Management: The Twelve-Factor Approach and Beyond

How secrets end up in git history, why environment variables aren't enough, and how to use Vault and AWS Secrets Manager properly.

vuln
JWT Security: Common Mistakes That Lead to Authentication Bypass

The alg:none attack, weak secrets, JWKS spoofing, and how to validate JWTs correctly in Node and Python.

vuln
Dependency Confusion and Supply Chain Attacks: Protecting Your Build Pipeline

How dependency confusion attacks work against npm and pip, and how to configure private registries to block them.

vuln
Insecure Deserialization: Java Gadget Chains, Python Pickle, and Safe Alternatives

How insecure deserialization leads to remote code execution in Java and Python, and the safe alternatives for each.

guide
OWASP Top 10 2021: A Practical Developer Checklist

The OWASP Top 10 2021 -- the current official release -- with code-level examples and actionable checklists for each of the ten categories.