application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
608 articles
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
NoSQL injection prevention in MongoDB and Mongoose
A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Trojan Source: how Unicode bidi control characters hide malicious code in plain sight
CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.
URL parser confusion: how inconsistent parsing enables SSRF and auth bypass
Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.
Code injection risks in CLI tools and IDE plugins
A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.
Exposed .git Directories and the Git Internals That Leak Your Source
Roughly 4.96 million IPs expose .git metadata today, and over 252,000 leak live credentials in .git/config — a 2018-era bug that never went away.
Implementing HSTS correctly in Node.js and Express
HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.
Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right
One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.
Log injection attacks and how to stop forging your own audit trail
One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.
RBAC vs. ABAC vs. ReBAC: choosing an access-control model for multi-tenant cloud apps
Google's Zanzibar paper (USENIX ATC 2019) showed relationship graphs authorizing access with sub-10ms latency at massive scale — here's when RBAC or ABAC beats it instead.
Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes
Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.