Vulnerabilities
In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.
71 articles
CSRF Attacks: How They Work and How Tokens Stop Them
A CSRF attack rides a logged-in user's browser to forge requests they never meant to send. Here is the mechanism and why anti-CSRF tokens defeat it.
CVE-2022-24785: The Moment.js Path Traversal, Explained
A user-controlled locale string was all it took: how CVE-2022-24785 let attackers traverse paths through Moment.js locale loading on Node.js, and why the fix is a one-line upgrade.
CVE-2019-8331: The Bootstrap XSS Vulnerability, Explained
CVE-2019-8331 let attackers inject script through Bootstrap's tooltip and popover template options, a pattern that recurred across several Bootstrap CVEs before 4.3.1 finally closed it.
SQL Injection Basics for Engineers Who Aren't Security Specialists
SQL injection is still one of the most common ways applications get breached, and the fix is usually a one-line change — this walks through the basics with a real example.
OWASP Path Traversal: How It Works and How to Stop It
Path traversal lets an attacker reach files outside a web app's intended directory using sequences like ../../etc/passwd — here's how it works and the fixes that actually close it.
SQL Injection Prevention Techniques That Actually Work
SQL injection prevention comes down to one non-negotiable technique — parameterized queries — plus a short list of layered defenses that catch what a single control misses.
What Is XSS? Cross-Site Scripting Full Form and Basics
XSS is short for cross-site scripting, a vulnerability that lets attackers run malicious scripts in a victim's browser. Here's how it works, its three main types, and how it's actually caught.
Application Vulnerabilities: The Common Classes Explained
Injection, broken access control, and misconfiguration account for most real-world breaches. Here's a plain map of the classes that matter and how each one is actually exploited.
CVE-2017-18214: Why an Old CVE Still Shows Up in Scans
CVE-2017-18214 is a ReDoS bug in Moment.js patched back in 2017, yet it keeps surfacing in scans years later because bundled copies and stale lockfiles never got the memo.
Spring4Shell: What Shipped and How to Patch It
What the Spring4Shell vulnerability actually was, which configurations were exposed, and the concrete patch and mitigation steps that closed it.
XSS Script Examples, Annotated
Reading a real xss script example line by line makes cross-site scripting concrete in a way definitions rarely do — here are annotated examples across the three main XSS types.
CVE-2022-31129: The Day.js ReDoS Vulnerability, Explained
CVE-2022-31129 is a regular expression denial of service in Day.js's custom parse format handling. Here's what triggered it, why it's still showing up in scans, and how it was fixed.