Vulnerabilities
In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.
71 articles
Preventing SQL Injection: A Defense-in-Depth Approach
Parameterized queries stop most SQL injection, but the attacks that make it to production usually slip past a single control — here's the layered defense that catches the rest.
XXE Attack Walkthroughs: What a Good Demo Actually Shows
Most XXE video walkthroughs stop at proof-of-concept file reads — here's what a genuinely useful one covers, plus the Java fix that actually closes the hole.
Data Vulnerability Classes in Modern Applications
Most breaches trace back to a handful of recurring data vulnerability patterns — from unencrypted storage to broken access checks. Here's how to categorize and prioritize them.
jQuery 3.7.1 Vulnerabilities: What Actually Changed From Earlier Releases
jQuery 3.7.1 vulnerabilities are mostly inherited history, not new CVEs — the real security story is what changed across 3.4, 3.5, and 3.7.
SQL Injection Detection: How Scanners Actually Find It
SQL injection detected in a scan report can mean very different things depending on whether it came from a static trace or a live dynamic test — here's how each actually works.
Node.js Vulnerabilities: Tracking and Patching at Scale
How to actually keep up with Node.js vulnerabilities across dozens of services — where advisories come from, what to automate, and what still needs a human.
Fixing XXE in Java: A Parser-by-Parser Hardening Guide
A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.
NoSQL Injection: A Practical Tutorial
NoSQL databases don't use SQL syntax, but they're not immune to injection attacks — this NoSQL injection tutorial covers how the attack actually works against MongoDB-style queries.
Java Vulnerability Classes: A Reference List
A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.
Lodash 4.17.21: The Security History Behind the Version Bump
Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.
CVE-2011-4969: The jQuery XSS Bug, a Decade Later
CVE-2011-4969 is a cross-site scripting flaw in jQuery versions before 1.6.3, triggered by unsanitized attribute-selector input — it's a small, old bug, but the reasons it lingered in codebases for years are still relevant.
SSRF Attacks: How Server-Side Request Forgery Works
SSRF tricks a server into making requests an attacker controls — reaching internal services, cloud metadata endpoints, and data no external user should touch. Here is how it works and how to stop it.