owasp-top-10
Safeguard articles tagged "owasp-top-10" — guides, analysis, and best practices for software supply chain and application security.
71 articles
What Are Parameterized Queries
Parameterized queries stop SQL injection by binding user input as data instead of parsing it as SQL — here's how they work, and where they still fail.
The OWASP Top 10: A Quick Reference for 2026
A working reference to the OWASP Top10 categories, what each one covers in plain terms, and which scanner type actually catches it.
Server-Side Request Forgery (SSRF): how it works and how to prevent it
SSRF turns a server into an attacker's proxy into your internal network. Here's how it works, what Capital One's breach taught the industry, and how to stop it.
Cross-site scripting (XSS) explained for developers
XSS has topped vulnerability lists for two decades. Here's how reflected, stored, and DOM-based XSS actually work, real incidents, and how to fix them.
SQL injection: a complete developer's guide
A developer's guide to SQL injection: how it works, why CWE-89 still ranks in MITRE's Top 25, real breaches, and how to detect and fix it.
Insecure deserialization vulnerabilities explained
Insecure deserialization vulnerabilities let attackers turn trusted classes into gadget chains for RCE. See real CVEs, affected languages, and fixes.
XML External Entity (XXE) injection explained
XXE injection lets attackers abuse XML parsers to read files, hit cloud metadata via SSRF, or crash servers — here's how it works and how to stop it.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
Arbitrary file upload vulnerabilities explained
Arbitrary file upload flaws (CWE-434) have caused breaches from Equifax to GitLab. Here's how they work, the CVEs that prove it, and how to stop them.
NoSQL injection vulnerabilities explained
NoSQL injection lets attackers manipulate MongoDB-style queries via operators like $ne and $where. Learn how it works, real CVEs, and fixes.
Insecure direct object reference (IDOR) explained
IDOR lets attackers access other users' data by editing an ID in a request. See how it broke USPS, Panera, and First American — and how to actually fix it.
Authentication bypass vulnerabilities explained
Authentication bypass flaws let attackers skip login entirely. See how CVE-2022-40684, CVE-2023-22515, and CVE-2021-40539 were exploited and prevented.