vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
XML External Entity (XXE) injection explained
XXE injection lets attackers abuse XML parsers to read files, hit cloud metadata via SSRF, or crash servers — here's how it works and how to stop it.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
Open redirect vulnerabilities explained
Open redirect flaws (CWE-601) score as medium severity alone, but they power real phishing campaigns against Google, Amex, and Microsoft. Here's how they work and how to stop them.
Arbitrary file upload vulnerabilities explained
Arbitrary file upload flaws (CWE-434) have caused breaches from Equifax to GitLab. Here's how they work, the CVEs that prove it, and how to stop them.
Directory listing exposure risks explained
Directory listing vulnerabilities expose raw file trees via one misconfigured Apache, Nginx, or IIS directive. Here's how they happen and how to fix them.
Time-of-check to time-of-use (TOCTOU) race condition vulnerabilities
TOCTOU race conditions let attackers swap a resource between a security check and its use. Real CVEs, exploit mechanics, and prevention patterns explained.
Buffer overflow vulnerabilities explained
Buffer overflows still make MITRE's CWE Top 25 every year. Here's how they corrupt memory, real CVEs like EternalBlue and Baron Samedit, and how to stop them.
Use-after-free vulnerabilities explained
Use-after-free bugs (CWE-416) power some of the worst zero-day exploit chains in browsers and kernels. Here's how they work and what stops them.
Integer overflow vulnerabilities explained
What integer overflow vulnerabilities are, how CWE-190 causes real breaches like Bitcoin's 2010 overflow bug, and how to detect and prevent them.
Type confusion vulnerabilities explained
Type confusion bugs let attackers corrupt memory by exploiting mismatched type assumptions. See real CVEs, how JIT engines fail, and how to catch it early.
Format string vulnerabilities explained
Format string bugs let attackers turn a printf call into memory disclosure or arbitrary writes. Here's how CWE-134 works, real CVEs, and fixes.
NoSQL injection vulnerabilities explained
NoSQL injection lets attackers manipulate MongoDB-style queries via operators like $ne and $where. Learn how it works, real CVEs, and fixes.