Vulnerabilities
Safeguard articles tagged "Vulnerabilities" — guides, analysis, and best practices for software supply chain and application security.
27 articles
SQL Injection Detection: How Scanners Actually Find It
SQL injection detected in a scan report can mean very different things depending on whether it came from a static trace or a live dynamic test — here's how each actually works.
Vulnerability Exploitation Trends in 2024: What the Data Shows
Analysis of 2024 vulnerability exploitation patterns reveals faster weaponization timelines, shifting target profiles, and the growing importance of edge device vulnerabilities.
XSS Scripting Attacks: A Refresher for Engineers
XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.
What Is a CSRF Token, and How Does It Stop CSRF?
A CSRF token is a random, per-session value a server requires on state-changing requests so a malicious site can't forge one on a logged-in user's behalf.
CVE-2022-24785: The Moment.js Path Traversal, Explained
A user-controlled locale string was all it took: how CVE-2022-24785 let attackers traverse paths through Moment.js locale loading on Node.js, and why the fix is a one-line upgrade.
OWASP Path Traversal: How It Works and How to Stop It
Path traversal lets an attacker reach files outside a web app's intended directory using sequences like ../../etc/passwd — here's how it works and the fixes that actually close it.
CVE-2023-4807: The OpenSSL POLY1305 Flaw on Windows
A cryptographic MAC that silently trashes CPU registers: why CVE-2023-4807 only bites Windows builds of OpenSSL, what it can actually do, and which releases fix it.
Notable CVEs of 2022: A Practitioner's Roundup
CVE-2022-31160 and a run of recursion-based denial-of-service bugs made 2022 a year defined less by exotic exploits and more by parsers that never expected deeply nested input.
Notable CVEs of 2023: A Practitioner's Roundup
From an OpenSSL IV-truncation flaw to a critical Babel code-execution bug, 2023's CVE crop is a good reminder that severity and blast radius don't always line up.
JSON Parsing Library Vulnerabilities You Should Know About
JSON is the lingua franca of APIs, but the libraries that parse it have had serious security issues. Here is what to watch for in your stack.
Compression Library Vulnerabilities: From zlib to the xz Backdoor
Compression libraries are everywhere and trusted implicitly. The xz backdoor proved that trust can be weaponized. Here is the full picture.
The OWASP Top 10 (2021) Through a Supply Chain Security Lens
The 2021 OWASP Top 10 added supply chain risks for the first time. Here is what each category means when your code is mostly someone else's code.