vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
How to detect malicious npm packages
Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.
Subresource integrity bypass explained
SRI hashes can't stop what happens before the hash is made. How polyfill.io, British Airways, and event-stream exposed real gaps in browser integrity checks.
Clickjacking vulnerabilities explained
A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.
CRLF injection and HTTP response splitting explained
CRLF injection lets attackers forge HTTP headers and split responses. Here's how it works, real CVEs behind it, and how to detect and stop it.
HTTP request smuggling explained
HTTP request smuggling exploits parser mismatches between proxies and origin servers. Learn CL.TE/TE.CL mechanics, real CVEs, and how to detect it.
Server-side includes (SSI) injection explained
SSI injection lets attackers run shell commands via directives like #exec cmd. Learn how CWE-97 works, real attack vectors, detection, and fixes.
Business logic vulnerabilities explained
A business logic vulnerability breaks your app's rules, not its code. See how Starbucks, Shopify, and the DAO were exploited -- and how to detect and prevent it.
Mass assignment vulnerabilities explained
Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.
GraphQL injection and introspection abuse explained
How GraphQL injection, introspection abuse, and alias-based DoS attacks expose APIs to data leaks—illustrated by the 2021 Peloton breach.
JWT algorithm confusion / none-algorithm bypass explained
How attackers forge JWTs via RS256/HS256 key confusion and the alg:none bypass, with real CVEs, detection steps, and defenses.
XML signature wrapping attacks explained
XML signature wrapping lets attackers forge signed SOAP and SAML messages without breaking the signature. Here's how the attack works and how to stop it.
SSRF via webhooks explained
Webhook SSRF turns a trusted callback feature into an internal network foothold. Here is how the attack works, real incidents, and how to actually fix it.