Articles
59 articles covering application security for developers
The HTTP Host header controls where the server thinks the request arrived from — and most web frameworks trust it implicitly. Host header injection is the entry point for password reset link poisoning, web cache deception, and server-side request forgery attacks. Here's how each variant works and how to fix them.
Session fixation lets attackers pre-set a victim's session identifier before authentication, then hijack the authenticated session. Cookie security attributes — Secure, HttpOnly, SameSite — prevent a separate set of attacks that are easy to introduce accidentally. Here's how to get both right.
Open redirects are dismissed as low-severity but are routinely chained into phishing, OAuth token theft, and SSRF escalation paths. This guide covers the vulnerability class, real exploit chains, and secure redirect patterns in Python, JavaScript, and Go.
HTTP Parameter Pollution (HPP) exploits inconsistent handling of duplicate request parameters across web frameworks and intermediary systems. It's a reliable technique for WAF bypass, OAuth manipulation, and backend logic abuse. This guide covers the attack mechanics, framework-specific behaviour, and prevention.
NoSQL databases are not immune to injection attacks — they just look different. MongoDB operator injection via $where, $ne, and $regex operators allows authentication bypass and data exfiltration. This guide covers attack mechanics, code examples in Node.js and Python, and parameterised query patterns that prevent injection.
The OWASP Top 10 2026 edition elevates Software Supply Chain Failures to A03, promoting it from the narrower 'Vulnerable and Outdated Components' category. CI/CD pipeline attacks are up 45% since 2022. Here's what the new category means and the specific changes development teams need to make.
Path traversal (directory traversal) remains one of the most exploited vulnerability classes in web applications. This guide covers how the attack works, where developers go wrong in each major language, and concrete prevention patterns you can apply today.
Miasma is a self-propagating npm worm that abused CI/CD OIDC tokens to publish malicious versions of 32 Red Hat-maintained packages. Here's how the attack worked, what made it self-replicating, and how to defend your supply chain.
Business logic vulnerabilities bypass security controls not by exploiting technical flaws but by abusing the intended functionality of an application. They're invisible to SAST, inconsistently caught by DAST, and frequently missed in code review. This guide covers identification methodology and design-level mitigations.
gRPC's performance and cross-language support have made it the default RPC framework for microservices, but its security model is frequently implemented incorrectly. This guide covers the most common gRPC vulnerabilities — missing TLS, exposed reflection API, missing server-side auth interceptors, and large-message DoS — with secure implementation patterns in Go and Python.
Web cache deception exploits path parsing differences between web servers and caching layers to trick a CDN or reverse proxy into storing authenticated, private responses in public cache. Unlike cache poisoning, the attacker doesn't write to the cache — they engineer the victim's browser to do it for them.
Electron applications run Node.js in a browser context — a combination that creates a distinctive RCE vulnerability class when misconfigured. This guide covers the core security model, the common misconfigurations that lead to remote code execution, and the controls that actually fix them.
CRLF injection lets attackers insert carriage return and line feed characters into HTTP headers and log files, enabling HTTP response splitting, cache poisoning, session fixation, and log forgery. This guide explains the mechanics, shows exploits in Python and Node.js, and covers the fixes.
PyYAML's yaml.load() allows arbitrary code execution when processing untrusted input. This guide explains how the vulnerability works, demonstrates the attack, and shows the safe alternatives for PyYAML and ruamel.yaml that you should be using instead.
The Miasma supply chain attack against Red Hat npm packages in June 2026 used OIDC tokens and produced valid SLSA provenance attestations on malicious packages. Here's why provenance doesn't guarantee safety and what additional controls matter.
The OWASP Top 10 for Large Language Model Applications catalogues the most critical security risks in LLM-powered software. This guide covers each category with concrete developer mitigations — from prompt injection and insecure output handling to model theft and supply chain vulnerabilities.
Rate limiting protects APIs from brute force, credential stuffing, scraping, and resource exhaustion. This guide covers the four main algorithms, Redis-based implementation patterns, and the OWASP API Security Top 10 considerations.
BFLA lets regular users call admin-only API functions simply by knowing the right URL. It's OWASP API5:2023, reliably present in enterprise APIs, and almost invisible to automated scanners. Here's how it works, where it hides, and how to eliminate it.
Using a cryptographically weak PRNG to generate session tokens, password reset links, or CSRF tokens is a silent vulnerability that's easy to introduce and hard to detect in code review. This guide covers where CWE-338 shows up, why Math.random() and time-seeded generators are exploitable, and how to generate tokens securely in JavaScript, Python, and Java.
Clickjacking lets attackers trick users into clicking hidden page elements by overlaying transparent iframes on legitimate content. This guide covers the three main defences — X-Frame-Options, CSP frame-ancestors, and SameSite cookies — with implementation examples in Node.js, Python, and Java.
SAML is the SSO protocol underpinning enterprise identity across thousands of applications, and its XML signature model has produced some of the most impactful authentication bypasses in enterprise security history. This guide covers XML signature wrapping, comment injection, and how to implement SAML correctly in Python and Java.
Subdomain takeover is a vulnerability where a DNS record points to a cloud resource that no longer exists — allowing an attacker to claim that resource and serve content from your domain. This guide covers how it works, how to find dangling records in your own infrastructure, and how to prevent it.
Malicious npm packages continue to target developer environments through typosquatting, dependency confusion, compromised maintainer accounts, and postinstall script abuse. This guide covers practical tools and techniques to catch malicious packages before they execute in your pipeline.
Open redirects are consistently underestimated in code review and penetration testing — but in OAuth 2.0 flows, a single unvalidated redirect_uri parameter can hand an attacker a victim's access token. This guide covers the vulnerability class, its exploitation in OAuth contexts, and the validation patterns that prevent it.
WebSockets don't follow the same security rules as HTTP — they have no same-origin policy, skip CORS, and often receive less security scrutiny than REST endpoints. This guide covers Cross-Site WebSocket Hijacking, authorization bypass patterns, and code-level mitigations.
Content Security Policy is the most effective browser-enforced defence against XSS. This guide covers how to build a working CSP from scratch, avoid the nonce and hash pitfalls, and actually verify your policy does what you think it does.
NoSQL databases eliminated SQL but not injection. MongoDB's query operator injection, Redis command injection via Lua, and Elasticsearch dynamic query construction each have distinct attack patterns that bypass authentication and expose data. This guide covers each with vulnerable and fixed code examples.
JSON Web Tokens are the dominant stateless authentication mechanism for APIs and SPAs — and they carry a well-documented set of implementation vulnerabilities that remain common in production systems. This guide covers the attack classes, vulnerable code patterns, and secure implementations.
Web cache poisoning turns unkeyed HTTP headers and parameters into a stored XSS delivery mechanism affecting every user who receives the poisoned response. This guide covers the attack mechanics, common vulnerable patterns, and how to harden your cache configuration.
The Model Context Protocol is becoming the integration layer for AI agents — and it has serious security problems developers need to understand now. This guide covers prompt injection, tool poisoning, and supply chain risks with practical mitigations.
Passkeys promise phishing-resistant authentication without passwords — but incorrect WebAuthn implementations introduce subtle vulnerabilities. This guide covers the cryptographic fundamentals, implementation mistakes to avoid, and secure code patterns in JavaScript and Python.
File upload functionality is among the most dangerous features in web applications. Unrestricted file upload vulnerabilities allow attackers to plant web shells, bypass access controls, and achieve remote code execution. This guide covers the attack vectors, bypass techniques, and the server-side controls that actually work.
CORS misconfigurations allow attacker-controlled origins to make authenticated cross-origin requests to your API, reading responses that should be protected. From wildcard origins to null-origin acceptance, here's how misconfigured CORS policies get exploited and how to fix them with correct server-side policies and security testing.
Race conditions and TOCTOU (time-of-check to time-of-use) vulnerabilities exploit the gap between a validation check and the action that depends on it — enabling double-spend attacks on financial operations, parallel account creation bypasses, and privilege escalation. This guide covers the attack patterns, real-world scenarios across REST APIs and databases, and the application-level and database-level fixes that close the race window.
ReDoS (Regular Expression Denial of Service) exploits exponential backtracking in vulnerable regex patterns to pin a CPU at 100% with a small crafted input. This guide explains the attack, identifies dangerous patterns in Python, JavaScript, and Java, and shows how to test and fix vulnerable expressions.
SSRF lets attackers redirect your application's outbound HTTP requests to internal services, cloud metadata endpoints, and private APIs. This guide covers the attack mechanics, why allowlist validation beats blocklists, and safe URL-fetching patterns in Python, Go, and Node.js.
Path traversal (directory traversal) vulnerabilities allow attackers to read and write files outside the intended directory. This guide covers attack patterns, encoding bypasses, and secure file handling in Python, JavaScript, Java, and Go.
Over 90% of development teams now use AI coding assistants. But AI-generated code introduces a new class of security blind spots — subtle, plausible-looking code that passes standard SAST scans while embedding vulnerabilities that a senior developer would catch on review. Here is what to look for and how to build checks that actually work.
CORS misconfigurations are among the most consistently exploited web application vulnerabilities. A single overly permissive header can allow any website to read authenticated API responses on behalf of your users.
Mass assignment vulnerabilities let attackers modify object properties they were never meant to touch — including role, isAdmin, and account balance. How the attack works, how frameworks enable it by default, and how to fix it in Node.js and Python.
GraphQL introduces a distinct attack surface compared to REST — introspection exposes the full schema, batching enables rate limit evasion, and field-level authorization is easy to miss. This guide covers the common vulnerabilities and how to fix them.
HTTP request smuggling exploits disagreements between how front-end proxies and back-end servers parse HTTP/1.1 message boundaries, allowing attackers to poison request queues, bypass access controls, and hijack user sessions. Here's the technical breakdown and how to test for it.
XML External Entity injection lets attackers read arbitrary files, perform SSRF, and in some configurations achieve remote code execution -- entirely through the XML parser. Here's how the attack works and how to shut it down in three languages.
Server-side template injection lets attackers execute arbitrary code by injecting template syntax into inputs that get evaluated by the server's template engine. Here's how it works across Jinja2, Twig, and Freemarker -- and how to prevent it.
OAuth 2.0 is ubiquitous but widely misimplemented. This guide covers the most common vulnerabilities -- missing state parameters, open redirect_uri, implicit flow token leakage, and PKCE gaps -- with code examples showing what to fix.
How attackers register package names that AI coding assistants invent, and what developers can do to protect their pipelines from this emerging supply chain threat.
Content-Security-Policy, HSTS, COOP, COEP, and Permissions-Policy explained with concrete examples. Learn what each header actually does, which common misconfigurations defeat the protection, and how to implement the right stack for your application.
Prototype pollution lets attackers inject properties into Object.prototype, affecting every object in a Node.js process. This guide covers the attack mechanics, real-world exploitation paths, and concrete defensive patterns for JavaScript and Node.js applications.
Server-side request forgery attacks surged 452% between 2023 and 2024. This guide covers modern SSRF techniques -- including cloud metadata pivots and blind SSRF -- with secure code patterns in Python and Node.js.
Cross-Site Request Forgery remains a top web vulnerability despite years of awareness. This guide covers the attack mechanics, why naive defences fail, and the complete modern prevention stack including CSRF tokens, SameSite cookies, and custom request headers.
How OS command injection works, why shell metacharacters are dangerous, and how to eliminate the vulnerability in Python, Node.js, and Go with safe subprocess patterns.
Insecure Direct Object References and other Broken Access Control patterns are the most common source of account takeover bugs. Here is how to find and fix them.
Reflected, stored, and DOM-based XSS explained with real exploit chains and prevention patterns for JavaScript, React, Node.js, and Python.
Parameterised queries, ORM pitfalls, and blind SQLi detection patterns to protect your application data.
How secrets end up in git history, why environment variables aren't enough, and how to use Vault and AWS Secrets Manager properly.
The alg:none attack, weak secrets, JWKS spoofing, and how to validate JWTs correctly in Node and Python.
How dependency confusion attacks work against npm and pip, and how to configure private registries to block them.
How insecure deserialization leads to remote code execution in Java and Python, and the safe alternatives for each.
The OWASP Top 10 2021 -- the current official release -- with code-level examples and actionable checklists for each of the ten categories.