owasp
Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.
102 articles
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Mass assignment in Node, Express, and Mongoose apps
One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.
Preventing XSS in Django applications
Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.
API gateway security: enforcing authN/authZ and rate limits at the edge
A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.
API security fundamentals: mapping the OWASP API Top 10 to real tests
OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.
Finding and fixing XXE vulnerabilities across common XML parsers
XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.
A practical guide to HTTP security headers: CSP, HSTS, and beyond
A misconfigured checkout page let attackers skim 380,000+ card payments from British Airways in 2018. Here's how CSP, HSTS, and frame-ancestors actually stop attacks like that.
Preventing SMTP injection vulnerabilities in email-sending code
A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
How to Discover Shadow and Undocumented APIs Before Attackers Do
A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.
A primer on the OWASP API Security Top 10 and how to test for it
The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.
Running internal CTFs to build real security skills on engineering teams
picoCTF drew 39,000 players in 2019 across 160 countries — proof that gamified security training scales. Here's how to run the same model internally.