application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
Preventing SMTP injection vulnerabilities in email-sending code
A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.
Preventing XSS in Java Spring and JSP applications
OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.
How catastrophic regex backtracking causes ReDoS — and how to stop it
A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.
Safely Parsing Untrusted URLs in Node.js
Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
DNS attack techniques and defenses
Cache poisoning, tunneling, and NXDOMAIN floods all abuse the same trust: DNS was built to be fast and open, not authenticated.
Fuzz testing for AppSec teams: AFL++, libFuzzer, and OSS-Fuzz
OSS-Fuzz has found over 13,000 vulnerabilities since 2016, yet most AppSec teams still treat fuzzing as a research curiosity rather than a pipeline stage.
How to actually implement TLS correctly in Python
One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.
Python linting for security hygiene: what flake8, pylint, and bandit actually catch
Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.