Safeguard
Tag

web-application-security

Safeguard articles tagged "web-application-security" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Best Practices

Open-source penetration testing tools: a comparison guide

Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.

Jul 8, 20267 min read
Application Security

Web Application Security Standards overview

A breakdown of OWASP, NIST SSDF, and PCI DSS 4.0 web application security standards, where Veracode's scanning model covers them, and where supply-chain gaps remain.

Jun 20, 20267 min read
Data Breach

Škoda Auto Online Shop Breach (12 May 2026): An E-Commerce Software Flaw and the Credential-Reuse Tail

Škoda Auto disclosed on 12 May 2026 that attackers exploited a vulnerability in its German online shop to steal customer names, contact details, order data, and login credentials. The card data was safe; the credentials are the part that keeps paying out.

May 12, 202614 min read
Application Security

Web Application Security Risks & Best Practices

Web app flaws like MOVEit and Log4Shell keep causing breaches. Here's what's actually exploitable in 2026, and how to fix it before attackers do.

Apr 10, 20267 min read
Vulnerability Analysis

What is Cross-Site Scripting (XSS)

XSS lets attackers inject malicious JavaScript into trusted pages. Learn how stored, reflected, and DOM-based XSS work, real breaches, and defenses.

Apr 1, 20267 min read
Vulnerability Analysis

What is Cross-Site Request Forgery (CSRF)

CSRF forges an authenticated request using a victim's own session cookie. Learn how it works, real Gmail/YouTube cases, and how to detect and fix it.

Mar 31, 20267 min read
AppSec

How Attackers Use JavaScript: Common Client-Side Attack Techniques

Using JavaScript for hacking rarely means writing exotic exploits — it means abusing the same DOM APIs, event handlers, and third-party scripts every legitimate site relies on.

Feb 10, 20266 min read
Vulnerability Analysis

Cross-site request forgery (CSRF) explained

CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.

Dec 13, 20257 min read
Vulnerability Analysis

Server-side template injection (SSTI) explained

SSTI lets attackers turn template syntax into server-side RCE. See how it works, real CVEs like Confluence's, and how to prevent it.

Dec 10, 20257 min read
Vulnerability Analysis

Clickjacking vulnerabilities explained

A clickjacking vulnerability hides real buttons under a decoy iframe to hijack clicks. Here's how the attack works, real incidents, and fixes.

Dec 6, 20257 min read
Vulnerability Analysis

HTTP request smuggling explained

HTTP request smuggling exploits parser mismatches between proxies and origin servers. Learn CL.TE/TE.CL mechanics, real CVEs, and how to detect it.

Dec 6, 20257 min read
AppSec

Dynamic Application Security Testing Tools, Compared

Dynamic application security testing tools test running applications the way an attacker would, but they differ sharply on API coverage, auth handling, and CI integration — here's how to tell them apart.

Aug 14, 20254 min read
web-application-security — Safeguard Blog