web-application-security
Safeguard articles tagged "web-application-security" — guides, analysis, and best practices for software supply chain and application security.
13 articles
Open-source penetration testing tools: a comparison guide
Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.
Web Application Security Standards overview
A breakdown of OWASP, NIST SSDF, and PCI DSS 4.0 web application security standards, where Veracode's scanning model covers them, and where supply-chain gaps remain.
Škoda Auto Online Shop Breach (12 May 2026): An E-Commerce Software Flaw and the Credential-Reuse Tail
Škoda Auto disclosed on 12 May 2026 that attackers exploited a vulnerability in its German online shop to steal customer names, contact details, order data, and login credentials. The card data was safe; the credentials are the part that keeps paying out.
Web Application Security Risks & Best Practices
Web app flaws like MOVEit and Log4Shell keep causing breaches. Here's what's actually exploitable in 2026, and how to fix it before attackers do.
What is Cross-Site Scripting (XSS)
XSS lets attackers inject malicious JavaScript into trusted pages. Learn how stored, reflected, and DOM-based XSS work, real breaches, and defenses.
What is Cross-Site Request Forgery (CSRF)
CSRF forges an authenticated request using a victim's own session cookie. Learn how it works, real Gmail/YouTube cases, and how to detect and fix it.
How Attackers Use JavaScript: Common Client-Side Attack Techniques
Using JavaScript for hacking rarely means writing exotic exploits — it means abusing the same DOM APIs, event handlers, and third-party scripts every legitimate site relies on.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
Server-side template injection (SSTI) explained
SSTI lets attackers turn template syntax into server-side RCE. See how it works, real CVEs like Confluence's, and how to prevent it.
Clickjacking vulnerabilities explained
A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.
HTTP request smuggling explained
HTTP request smuggling exploits parser mismatches between proxies and origin servers. Learn CL.TE/TE.CL mechanics, real CVEs, and how to detect it.
Dynamic Application Security Testing Tools, Compared
Dynamic application security testing tools test running applications the way an attacker would, but they differ sharply on API coverage, auth handling, and CI integration — here's how to tell them apart.