Safeguard
Tag

owasp

Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.

104 articles

Vulnerability Analysis

Clickjacking vulnerabilities explained

A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.

Dec 6, 20257 min read
Vulnerability Analysis

Business logic vulnerabilities explained

A business logic vulnerability breaks your app's rules, not its code. See how Starbucks, Shopify, and the DAO were exploited -- and how to detect and prevent it.

Dec 5, 20257 min read
Frameworks

OWASP Top 10:2025 RC1: Software Supply Chain Failures Becomes Its Own Category

The OWASP Top 10:2025 release candidate, published November 2025, splits Vulnerable Components into a broader Software Supply Chain Failures category and elevates Security Misconfiguration to #2.

Nov 20, 20257 min read
Industry Analysis

Unsafe Consumption of Third-Party APIs

Third-party APIs get trusted more than user input ever would — and attackers know it. Real breaches from Polyfill.io to 3CX show why that trust is misplaced.

Nov 6, 20257 min read
Industry Analysis

Improper Inventory Management: Shadow and Zombie APIs

Undocumented shadow APIs and forgotten zombie endpoints are quietly expanding attack surface. Here's why inventory gaps cause breaches like T-Mobile and Optus.

Nov 5, 20257 min read
Industry Analysis

CORS Misconfiguration Vulnerabilities

CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.

Nov 4, 20256 min read
Industry Analysis

Weak Password Recovery Mechanisms

From Sarah Palin's 2008 Yahoo hack to the 2014 iCloud photo leak, weak password recovery flows keep giving attackers account takeover without a password.

Nov 1, 20257 min read
Industry Analysis

Sensitive Information Exposure in Error Messages

Stack traces, SQL errors, and debug pages routinely leak credentials, paths, and library versions to attackers. Here's how CWE-209 exposure happens and how to close it.

Oct 29, 20257 min read
Industry Analysis

SQL Injection Prevention in Java with PreparedStatement

Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.

Oct 27, 20258 min read
Industry Analysis

SQL Injection Prevention in Python with Parameterized Que...

SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.

Oct 27, 20257 min read
Industry Analysis

XXE Prevention in Go with decoder.DisallowDTD

Go's standard XML parser resists classic XXE by design, but cgo bindings and SAML libraries can reopen it. Here's how the DisallowDTD pattern closes the gap.

Oct 21, 20257 min read
Vulnerabilities

BOLA: Broken Object Level Authorization, Explained

A bola vulnerability lets one authenticated user reach another user's data just by changing an ID in a request — no exploit code required, which is exactly why scanners miss it so often.

Jul 24, 20255 min read
owasp (Page 6) — Safeguard Blog