Safeguard
Tag

web-security

Safeguard articles tagged "web-security" — guides, analysis, and best practices for software supply chain and application security.

90 articles

AppSec

DAST Testing: How Dynamic Scans Probe Running Applications

DAST testing attacks your app the way an outsider would — no source code, just HTTP requests against a running target. Here is how the scan works, what it catches that SAST misses, and where it falls short.

Jun 18, 20257 min read
AppSec

Scanning a Website for Vulnerabilities, Step by Step

A practical walkthrough of how to scan a website for vulnerabilities — from picking a scan target and authentication mode to reading the results without drowning in false positives.

Jun 11, 20256 min read
Vulnerabilities

Stored XSS: Why Persistent Injection Hurts Most

Stored XSS saves the attacker's script server-side and serves it to everyone. Here is why persistent injection is the most damaging XSS variant and how to stop it.

Jun 3, 20256 min read
AppSec

Open Redirect Vulnerabilities: How Attackers Abuse Them

An open redirect attack abuses a trusted domain's own redirect functionality to send victims to a malicious site — low severity on its own, but a key ingredient in phishing and OAuth token theft.

May 27, 20256 min read
Vulnerabilities

XSS Examples: Real Payloads and How They Execute

Concrete XSS examples across HTML, attribute, and JavaScript contexts, with the payloads that trigger them and why each one runs.

Apr 22, 20256 min read
Vulnerabilities

XXE Examples: Annotated Payloads and Fixes

Concrete xxe examples showing how a malicious external entity reference reads local files or reaches internal services through an XML parser, and the config change that closes it.

Mar 27, 20255 min read
Vulnerability Analysis

Next.js Middleware Authorization Bypass: CVE-2025-29927

A critical flaw in Next.js allowed attackers to bypass middleware-based authorization by setting a single HTTP header. Applications relying on middleware for auth checks were completely exposed.

Mar 21, 20255 min read
AppSec

Free Website Vulnerability Scanners: What You Actually Get

Free scanners catch the obvious stuff — missing headers, expired TLS, a handful of known CVEs — but they stop well short of what a real security program needs.

Mar 14, 20255 min read
Vulnerabilities

SSRF Attacks: How Server-Side Request Forgery Works

SSRF tricks a server into making requests an attacker controls — reaching internal services, cloud metadata endpoints, and data no external user should touch. Here is how it works and how to stop it.

Sep 17, 20246 min read
Vulnerabilities

A CSRF Example: Full Attack Walkthrough

A concrete csrf example — a bank transfer form with no anti-forgery token — showing exactly how a forged request rides in on a victim's session and what stops it.

Sep 3, 20245 min read
Vulnerabilities

XSS Scripting Attacks: A Refresher for Engineers

XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.

Aug 21, 20245 min read
Vulnerabilities

What Is a CSRF Token, and How Does It Stop CSRF?

A CSRF token is a random, per-session value a server requires on state-changing requests so a malicious site can't forge one on a logged-in user's behalf.

Jul 22, 20245 min read
web-security (Page 4) — Safeguard Blog