Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Web cache poisoning: attack mechanics and prevention

A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.

Jul 8, 20266 min read
Application Security

WebAssembly's security model: sandbox guarantees and the attack surface that remains

Two Critical Wasmtime sandbox-escape CVEs landed on the same day in April 2026 — proof that a wasm sandbox is only as strong as the runtime enforcing it.

Jul 8, 20267 min read
Application Security

XS-Leaks explained: cross-site leak techniques and the defenses that stop them

XS-Leaks bypass the Same-Origin Policy without running a single line of attacker script — they read state through timing, frame counts, and error events instead.

Jul 8, 20266 min read
Application Security

A practical guide to bug bounty hunting

HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.

Jul 7, 20267 min read
Application Security

An introduction to C and C++ memory-safety vulnerabilities

Microsoft has reported that roughly 70% of the CVEs it patches each year trace back to memory-safety bugs — here's what buffer overflows, use-after-free, and double-free actually look like.

Jul 7, 20268 min read
Application Security

Apache Struts and the recurring pattern of path-traversal and RCE bugs

Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.

Jul 7, 20266 min read
Application Security

CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole

A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.

Jul 7, 20266 min read
Application Security

PHP Laravel security best practices

One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.

Jul 7, 20266 min read
Application Security

Preventing SQL injection in Node.js applications

CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.

Jul 7, 20267 min read
Application Security

Preventing SSRF in Node.js applications

A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.

Jul 7, 20266 min read
Application Security

Securing Python Virtual Environments

A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.

Jul 7, 20267 min read
Application Security

The Python pickle security model, explained

Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.

Jul 7, 20266 min read
Application Security (Page 12) — Supply Chain Security Blog | Safeguard