owasp-top-10
Safeguard articles tagged "owasp-top-10" — guides, analysis, and best practices for software supply chain and application security.
71 articles
Broken access control explained
Broken access control has topped OWASP's Top 10 since 2021. See real breaches, common patterns like IDOR, and how to detect and fix them.
CRLF injection and HTTP response splitting explained
CRLF injection lets attackers forge HTTP headers and split responses. Here's how it works, real CVEs behind it, and how to detect and stop it.
Sensitive data exposure in application logs explained
Passwords, tokens, and PII often end up readable in plaintext logs. Here's how CWE-532 exposures happen, real breaches they caused, and how to fix them.
App Vulnerability Classes: A Field Guide
Not every app vulnerability behaves the same way — this field guide groups the common web vulnerabilities by root cause so triage and prevention actually map to something repeatable.
Broken Authentication in API Endpoints
Broken authentication in API endpoints drove breaches at T-Mobile, Optus, and Peloton. Here's why it keeps happening and how to catch it before attackers do.
SQL Injection Prevention in PHP with Parameterized Queries
Parameterized queries stop SQL injection in PHP by separating code from data. Here's how PDO and MySQLi prepared statements work, and where they still fail.
XXE Prevention in Java: Hardening DocumentBuilderFactory
Java's DocumentBuilderFactory parses XML with external entities on by default, turning XML uploads into file-read and SSRF vectors. Here is how to lock it down.
The OWASP Top 10 API Security Risks, Explained
The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.
Java Vulnerability Classes: A Reference List
A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.
CWE Full Form: How the Common Weakness Enumeration Works
CWE stands for Common Weakness Enumeration — a community catalog of software and hardware weakness types. Here is what CWE means, how it differs from CVE, and how to use it.
OWASP 10 vs OWASP Top 10: Clearing Up the Confusion
"OWASP 10" isn't a separate standard — it's shorthand people search for the OWASP Top 10, and the confusion usually starts with which Top 10 they actually mean.