Safeguard
Topic

Vulnerabilities

In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.

71 articles

Vulnerabilities

Password Security Storage: Hashing Done Right

Password security storage still gets built wrong in 2024 — here's what a correct implementation looks like, from algorithm choice to salt handling to migration.

Sep 17, 20245 min read
Vulnerabilities

SQL Injection: How It Works and How It's Actually Tested

A defender's walkthrough of how SQL injection works and how security testers actually verify it in a controlled, authorized assessment — not a how-to-attack guide.

Sep 4, 20245 min read
Vulnerabilities

A CSRF Example: Full Attack Walkthrough

A concrete csrf example — a bank transfer form with no anti-forgery token — showing exactly how a forged request rides in on a victim's session and what stops it.

Sep 3, 20245 min read
Vulnerabilities

XSS Scripting Attacks: A Refresher for Engineers

XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.

Aug 21, 20245 min read
Vulnerabilities

The Moq Vulnerability: What Happened and What to Do

The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.

Aug 15, 20245 min read
Vulnerabilities

Adobe Flash's End of Life: Security Lessons From a Decade of Patching

Adobe Flash security was a running joke in the industry for a decade before its 2020 end-of-life — the real lesson wasn't Flash itself, it was how long a critical dependency can outlive its own security model.

Aug 15, 20245 min read
Vulnerabilities

CVE-2020-15250: The JUnit Temp File Vulnerability

CVE-2020-15250 shows how a test-only utility class in JUnit 4 created world-readable temp files on Unix systems, and why it still shows up in scans of projects that never touched production code paths.

Aug 6, 20244 min read
Vulnerabilities

What Is a CSRF Token, and How Does It Stop CSRF?

A CSRF token is a random, per-session value a server requires on state-changing requests so a malicious site can't forge one on a logged-in user's behalf.

Jul 22, 20245 min read
Vulnerabilities

The SnakeYAML Deserialization Vulnerability, Explained

SnakeYAML's default Constructor could instantiate arbitrary Java classes from YAML input — CVE-2022-1471 turned a config-parsing library into a remote code execution path.

Jun 19, 20245 min read
Vulnerabilities

CVE-2021-29425: The Commons IO Path Traversal Bug

CVE-2021-29425 shows how a single unhandled case in Apache Commons IO's path normalization let attackers slip past directory checks that assumed a canonicalized path was actually safe.

Jun 17, 20244 min read
Vulnerabilities

SSRF Examples and How They're Actually Exploited

Real SSRF examples, from cloud metadata theft to internal port scanning, showing exactly how a server-side request forgery bug gets turned into a full compromise.

Jun 11, 20246 min read
Vulnerabilities

SQL Injection Examples: Classic and Modern Attack Patterns

Real SQL injection examples from classic login bypass to blind, time-based, and ORM-era attacks, plus how to test for each one safely.

Jun 4, 20246 min read
Vulnerabilities (Page 4) — Supply Chain Security Blog | Safeguard