owasp
Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.
104 articles
Clickjacking vulnerabilities explained
A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.
Business logic vulnerabilities explained
A business logic vulnerability breaks your app's rules, not its code. See how Starbucks, Shopify, and the DAO were exploited -- and how to detect and prevent it.
OWASP Top 10:2025 RC1: Software Supply Chain Failures Becomes Its Own Category
The OWASP Top 10:2025 release candidate, published November 2025, splits Vulnerable Components into a broader Software Supply Chain Failures category and elevates Security Misconfiguration to #2.
Unsafe Consumption of Third-Party APIs
Third-party APIs get trusted more than user input ever would — and attackers know it. Real breaches from Polyfill.io to 3CX show why that trust is misplaced.
Improper Inventory Management: Shadow and Zombie APIs
Undocumented shadow APIs and forgotten zombie endpoints are quietly expanding attack surface. Here's why inventory gaps cause breaches like T-Mobile and Optus.
CORS Misconfiguration Vulnerabilities
CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.
Weak Password Recovery Mechanisms
From Sarah Palin's 2008 Yahoo hack to the 2014 iCloud photo leak, weak password recovery flows keep giving attackers account takeover without a password.
Sensitive Information Exposure in Error Messages
Stack traces, SQL errors, and debug pages routinely leak credentials, paths, and library versions to attackers. Here's how CWE-209 exposure happens and how to close it.
SQL Injection Prevention in Java with PreparedStatement
Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.
SQL Injection Prevention in Python with Parameterized Que...
SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.
XXE Prevention in Go with decoder.DisallowDTD
Go's standard XML parser resists classic XXE by design, but cgo bindings and SAML libraries can reopen it. Here's how the DisallowDTD pattern closes the gap.
BOLA: Broken Object Level Authorization, Explained
A bola vulnerability lets one authenticated user reach another user's data just by changing an ID in a request — no exploit code required, which is exactly why scanners miss it so often.