Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Web cache poisoning: attack mechanics and prevention
A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.
WebAssembly's security model: sandbox guarantees and the attack surface that remains
Two Critical Wasmtime sandbox-escape CVEs landed on the same day in April 2026 — proof that a wasm sandbox is only as strong as the runtime enforcing it.
XS-Leaks explained: cross-site leak techniques and the defenses that stop them
XS-Leaks bypass the Same-Origin Policy without running a single line of attacker script — they read state through timing, frame counts, and error events instead.
A practical guide to bug bounty hunting
HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.
An introduction to C and C++ memory-safety vulnerabilities
Microsoft has reported that roughly 70% of the CVEs it patches each year trace back to memory-safety bugs — here's what buffer overflows, use-after-free, and double-free actually look like.
Apache Struts and the recurring pattern of path-traversal and RCE bugs
Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.
CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole
A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.
PHP Laravel security best practices
One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.
Preventing SQL injection in Node.js applications
CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.
Preventing SSRF in Node.js applications
A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.
Securing Python Virtual Environments
A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.
The Python pickle security model, explained
Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.