Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Finding vulnerable code hidden inside shaded and uber JARs

JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.

Jul 16, 20266 min read
Application Security

ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS

A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.

Jul 16, 20266 min read
Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
Application Security

Comparing open-source tools for secure Java code review

SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.

Jul 16, 20266 min read
Application Security

NoSQL injection prevention in MongoDB and Mongoose

A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.

Jul 16, 20267 min read
Application Security

Inside the Qinglong Scheduler RCE: How Two Auth Bugs Became a Cryptomining Campaign

Two chainable auth-bypass bugs in the Qinglong task scheduler let attackers skip login entirely and mine crypto on victim CPUs — in the wild before a patch existed.

Jul 16, 20265 min read
Application Security

Trojan Source: how Unicode bidi control characters hide malicious code in plain sight

CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.

Jul 16, 20266 min read
Application Security

URL parser confusion: how inconsistent parsing enables SSRF and auth bypass

Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.

Jul 16, 20266 min read
Application Security

Code injection risks in CLI tools and IDE plugins

A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.

Jul 15, 20266 min read
Application Security

Exposed .git Directories and the Git Internals That Leak Your Source

Roughly 4.96 million IPs expose .git metadata today, and over 252,000 leak live credentials in .git/config — a 2018-era bug that never went away.

Jul 15, 20266 min read
Application Security

Implementing HSTS correctly in Node.js and Express

HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.

Jul 15, 20266 min read
Application Security

Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right

One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.

Jul 15, 20267 min read
Application Security — Supply Chain Security Blog | Safeguard