Vulnerabilities
In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.
71 articles
Password Security Storage: Hashing Done Right
Password security storage still gets built wrong in 2024 — here's what a correct implementation looks like, from algorithm choice to salt handling to migration.
SQL Injection: How It Works and How It's Actually Tested
A defender's walkthrough of how SQL injection works and how security testers actually verify it in a controlled, authorized assessment — not a how-to-attack guide.
A CSRF Example: Full Attack Walkthrough
A concrete csrf example — a bank transfer form with no anti-forgery token — showing exactly how a forged request rides in on a victim's session and what stops it.
XSS Scripting Attacks: A Refresher for Engineers
XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.
The Moq Vulnerability: What Happened and What to Do
The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.
Adobe Flash's End of Life: Security Lessons From a Decade of Patching
Adobe Flash security was a running joke in the industry for a decade before its 2020 end-of-life — the real lesson wasn't Flash itself, it was how long a critical dependency can outlive its own security model.
CVE-2020-15250: The JUnit Temp File Vulnerability
CVE-2020-15250 shows how a test-only utility class in JUnit 4 created world-readable temp files on Unix systems, and why it still shows up in scans of projects that never touched production code paths.
What Is a CSRF Token, and How Does It Stop CSRF?
A CSRF token is a random, per-session value a server requires on state-changing requests so a malicious site can't forge one on a logged-in user's behalf.
The SnakeYAML Deserialization Vulnerability, Explained
SnakeYAML's default Constructor could instantiate arbitrary Java classes from YAML input — CVE-2022-1471 turned a config-parsing library into a remote code execution path.
CVE-2021-29425: The Commons IO Path Traversal Bug
CVE-2021-29425 shows how a single unhandled case in Apache Commons IO's path normalization let attackers slip past directory checks that assumed a canonicalized path was actually safe.
SSRF Examples and How They're Actually Exploited
Real SSRF examples, from cloud metadata theft to internal port scanning, showing exactly how a server-side request forgery bug gets turned into a full compromise.
SQL Injection Examples: Classic and Modern Attack Patterns
Real SQL injection examples from classic login bypass to blind, time-based, and ORM-era attacks, plus how to test for each one safely.