Safeguard
Tag

vulnerability-analysis

Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.

360 articles

Vulnerability Analysis

How to detect malicious npm packages

Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.

Dec 7, 20256 min read
Vulnerability Analysis

Subresource integrity bypass explained

SRI hashes can't stop what happens before the hash is made. How polyfill.io, British Airways, and event-stream exposed real gaps in browser integrity checks.

Dec 6, 20257 min read
Vulnerability Analysis

Clickjacking vulnerabilities explained

A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.

Dec 6, 20257 min read
Vulnerability Analysis

CRLF injection and HTTP response splitting explained

CRLF injection lets attackers forge HTTP headers and split responses. Here's how it works, real CVEs behind it, and how to detect and stop it.

Dec 6, 20257 min read
Vulnerability Analysis

HTTP request smuggling explained

HTTP request smuggling exploits parser mismatches between proxies and origin servers. Learn CL.TE/TE.CL mechanics, real CVEs, and how to detect it.

Dec 6, 20257 min read
Vulnerability Analysis

Server-side includes (SSI) injection explained

SSI injection lets attackers run shell commands via directives like #exec cmd. Learn how CWE-97 works, real attack vectors, detection, and fixes.

Dec 5, 20257 min read
Vulnerability Analysis

Business logic vulnerabilities explained

A business logic vulnerability breaks your app's rules, not its code. See how Starbucks, Shopify, and the DAO were exploited -- and how to detect and prevent it.

Dec 5, 20257 min read
Vulnerability Analysis

Mass assignment vulnerabilities explained

Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.

Dec 5, 20257 min read
Vulnerability Analysis

GraphQL injection and introspection abuse explained

How GraphQL injection, introspection abuse, and alias-based DoS attacks expose APIs to data leaks—illustrated by the 2021 Peloton breach.

Dec 5, 20257 min read
Vulnerability Analysis

JWT algorithm confusion / none-algorithm bypass explained

How attackers forge JWTs via RS256/HS256 key confusion and the alg:none bypass, with real CVEs, detection steps, and defenses.

Dec 4, 20257 min read
Vulnerability Analysis

XML signature wrapping attacks explained

XML signature wrapping lets attackers forge signed SOAP and SAML messages without breaking the signature. Here's how the attack works and how to stop it.

Dec 4, 20257 min read
Vulnerability Analysis

SSRF via webhooks explained

Webhook SSRF turns a trusted callback feature into an internal network foothold. Here is how the attack works, real incidents, and how to actually fix it.

Dec 4, 20257 min read
vulnerability-analysis (Page 21) — Safeguard Blog