web-security
Safeguard articles tagged "web-security" — guides, analysis, and best practices for software supply chain and application security.
90 articles
DAST Testing: How Dynamic Scans Probe Running Applications
DAST testing attacks your app the way an outsider would — no source code, just HTTP requests against a running target. Here is how the scan works, what it catches that SAST misses, and where it falls short.
Scanning a Website for Vulnerabilities, Step by Step
A practical walkthrough of how to scan a website for vulnerabilities — from picking a scan target and authentication mode to reading the results without drowning in false positives.
Stored XSS: Why Persistent Injection Hurts Most
Stored XSS saves the attacker's script server-side and serves it to everyone. Here is why persistent injection is the most damaging XSS variant and how to stop it.
Open Redirect Vulnerabilities: How Attackers Abuse Them
An open redirect attack abuses a trusted domain's own redirect functionality to send victims to a malicious site — low severity on its own, but a key ingredient in phishing and OAuth token theft.
XSS Examples: Real Payloads and How They Execute
Concrete XSS examples across HTML, attribute, and JavaScript contexts, with the payloads that trigger them and why each one runs.
XXE Examples: Annotated Payloads and Fixes
Concrete xxe examples showing how a malicious external entity reference reads local files or reaches internal services through an XML parser, and the config change that closes it.
Next.js Middleware Authorization Bypass: CVE-2025-29927
A critical flaw in Next.js allowed attackers to bypass middleware-based authorization by setting a single HTTP header. Applications relying on middleware for auth checks were completely exposed.
Free Website Vulnerability Scanners: What You Actually Get
Free scanners catch the obvious stuff — missing headers, expired TLS, a handful of known CVEs — but they stop well short of what a real security program needs.
SSRF Attacks: How Server-Side Request Forgery Works
SSRF tricks a server into making requests an attacker controls — reaching internal services, cloud metadata endpoints, and data no external user should touch. Here is how it works and how to stop it.
A CSRF Example: Full Attack Walkthrough
A concrete csrf example — a bank transfer form with no anti-forgery token — showing exactly how a forged request rides in on a victim's session and what stops it.
XSS Scripting Attacks: A Refresher for Engineers
XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.
What Is a CSRF Token, and How Does It Stop CSRF?
A CSRF token is a random, per-session value a server requires on state-changing requests so a malicious site can't forge one on a logged-in user's behalf.