Master the configurations, security policies, and mitigation codes needed to protect your web applications against emerging threats.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against cookie hijacking and protocol downgrade attacks (like SSL stripping). It forces user agents (like browsers) to only interact with the website using secure HTTPS connections, never over plaintext HTTP.
Read GuideClickjacking (UI redressing) is an exploit where an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. This is usually achieved by embedding your website inside an iframe on the attacker's site.
Read GuideContent Security Policy (CSP) is an HTTP header that allows site operators to restrict the resources (such as JavaScript, CSS, Images) that the browser is allowed to load for a given page. A missing or weakly configured CSP makes a site highly susceptible to Cross-Site Scripting (XSS) and data injection exploits.
Read GuideA subdomain takeover occurs when an organization has a DNS record (typically a CNAME record) pointing to an external service provider (such as GitHub Pages, AWS S3, Heroku, or Zendesk) that has been deleted or unclaimed. An attacker can register an account with that provider and claim the subdomain, enabling them to host malicious code under your official brand name.
Read GuideCookies that store sensitive data (like session tokens or auth state) are vulnerable to interception if they lack security flags. Without the Secure flag, cookies can be transmitted in cleartext over unencrypted HTTP connections. Without the HttpOnly flag, client-side scripts can access the cookie, making it vulnerable to theft via Cross-Site Scripting (XSS).
Read GuideA Common Vulnerabilities and Exposures (CVE) check identifies known security flaws in the software stacks detected on your server (such as outdated web servers, CMS systems, databases, or libraries). Leaving known CVEs unpatched makes it trivial for automated scanners and attackers to compromise the system.
Read GuideCORS is a browser security mechanism that restricts resources on a web page from being requested from another domain. A weak CORS configuration (such as reflecting the Origin header blindly or enabling wildcards with credentials enabled) allows malicious websites to read sensitive data from your web application on behalf of authenticated users.
Read GuideCross-Site Scripting (XSS) occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute malicious scripts in the victim's browser. This can lead to session hijacking, defacement, or redirecting users to malicious sites.
Read GuideDirectory listing (or directory browsing) is a web server misconfiguration that displays the index of files in a directory when no default index file (like index.html) is present. This exposes source code, backup archives, configuration files, and private assets to public download and enumeration.
Read GuideAllowing legacy SSL/TLS protocols (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites (like those using RC4, 3DES, or anonymous DH) makes HTTPS sessions vulnerable to decryption and man-in-the-middle (MITM) attacks. Modern standards require TLS 1.2 or TLS 1.3 with AEAD ciphers.
Read GuideDNS Security Extensions (DNSSEC) adds cryptographic signatures to your DNS records. Without DNSSEC, the DNS resolution process is vulnerable to spoofing and cache poisoning attacks, where an attacker redirects your users to a clone of your site by injecting a spoofed IP address.
Read GuideSQL Injection occurs when untrusted user input is directly concatenated into a SQL query without parameterization, allowing attackers to manipulate database commands, bypass authentication, and extract or modify sensitive records.
Read GuideCSRF is an attack that forces an authenticated user to execute unwanted actions on a web application in which they are currently logged in, typically using malicious links or third-party sites.
Read GuideSSRF occurs when a web application fetches a remote resource without validating the user-supplied URL, allowing attackers to coerce the server into sending requests to internal resources, metadata endpoints, or loopback interfaces.
Read GuideBOLA occurs when an API endpoint exposes database identifiers directly without verifying whether the requesting user has permission to access that specific object, leading to unauthorized data exposure.
Read GuideBroken authentication vulnerabilities allow attackers to bypass login forms, hijack user sessions, or compromise user identities due to weak session management, lack of MFA, or predictable tokens.
Read GuideXXE occurs when an XML parser poorly processes input containing references to external entities, enabling attackers to read local files, execute SSRF attacks, or cause denial of service.
Read GuideOS Command Injection allows attackers to execute arbitrary system commands on the hosting server by tricking the application into running shell commands with unsanitized user inputs.
Read GuidePath traversal allows attackers to read arbitrary files on the application server by manipulating file path parameters using dot-dot-slash (../) sequences.
Read GuideInsecure Deserialization happens when an untrusted serialized object is parsed by an application, allowing attackers to execute remote commands, tamper with app state, or escalate privileges.
Read GuideFailing to log security-critical events (like failed logins or privilege changes) or failing to monitor logs prevents timely detection and response to ongoing cyberattacks.
Read GuideAn open redirect occurs when an application accepts a user-controlled URL as redirect target without validation, allowing attackers to craft phishing links that redirect to external domains.
Read GuideWithout rate limiting, public API endpoints and login routes are vulnerable to brute-force attacks, credential stuffing, denial-of-service (DoS) attempts, and resource exhaustion.
Read GuideHTTP Request Smuggling is an attack where an attacker tampers with requests sent to a chain of proxies or load balancers, causing different servers to interpret message boundaries differently.
Read GuideJSON Web Tokens (JWT) signed with weak secrets can be brute-forced offline, allowing attackers to forge tokens, tamper with payload claims, and impersonate any user.
Read GuideThis vulnerability allows users to access administrative or restricted functions (e.g. changing settings, deleting users) by manually browsing to specific URLs or API endpoints due to missing access checks.
Read GuideSSTI occurs when user input is concatenated directly into server-side templates (Jinja2, Freemarker, Thymeleaf) rather than passed as parameters, leading to remote code execution.
Read GuideLDAP Injection occurs when untrusted user input is directly concatenated into a query used to search an LDAP directory, allowing attackers to bypass authentication or extract sensitive organizational details.
Read GuideNoSQL Injection targets document-based databases (like MongoDB) by injecting query operator commands inside JSON payloads to bypass authentication or dump database documents.
Read GuideHTTP Host Header Injection happens when the application uses the HTTP Host header to generate absolute links, password reset links, or import scripts without validating it against a whitelist.
Read GuideLeaving cloud storage containers (like AWS S3 buckets, Azure Blobs) unprotected or publicly readable allows anyone to download database backups, source files, and customer data.
Read GuideDeploying servers, databases, routers, or applications with factory-default passwords (e.g. admin/admin) allows automated botnets and script kiddies to gain instant superuser access.
Read GuideAllowing anonymous DNS zone transfers exposes the entire internal topology, subdomains, and server names of your infrastructure to potential attackers.
Read GuideAllowing direct root login over SSH using passwords makes servers highly susceptible to brute-force attacks. Root actions should be audited and require private keys.
Read GuideExposing the Docker Daemon TCP socket without encryption or authentication allows anyone to control the host OS, spin up malicious containers, and execute arbitrary root-level code.
Read GuideExposing the .git repository folder to the public allows attackers to download your entire source code history, configuration files, passwords, and API keys.
Read GuideStoring database passwords, payment gateway secrets, and private keys in a public-accessible .env file allows attackers to completely compromise your backend dependencies.
Read GuideLeaving compressed archives, .bak, .zip, or .old files in the public directory allows attackers to download snapshots of your source code and configurations.
Read GuideStoring passwords using legacy, fast hashing algorithms (MD5, SHA1, unsalted SHA256) makes them extremely easy to crack via lookup tables or GPU-powered brute force.
Read GuideSession fixation occurs when an application keeps the same session ID before and after login, allowing an attacker to fix a session token and hijack the victim's logged-in session.
Read GuideWithout proper email authentication records, malicious actors can forge emails from your domain name, damaging your brand reputation and triggering phishing alerts.
Read GuideWeb Cache Poisoning occurs when an attacker manipulates HTTP request headers to force the caching server to store a harmful or modified response, serving it to subsequent users.
Read GuideXSW vulnerabilities affect XML-based single-sign-on protocols (like SAML). An attacker alters the XML structure to wrap the signature, tricking the validation logic while changing assertions.
Read GuideAllowing users to upload SVG files allows them to embed inline <script> tags inside the image file. When viewed directly in the browser, the scripts execute under your domain context.
Read GuideHPP involves supplying multiple HTTP parameters with the same name. Different backend components might parse them differently, allowing attackers to bypass validation rules.
Read GuideLogin CSRF allows attackers to force a user to log into an attacker-controlled account, enabling them to track the victim's history or steal sensitive data when they interact with the page.
Read GuideEnabling wildcards * in Access-Control-Allow-Origin combined with authentication configurations can allow malicious scripts to fetch private user data.
Read GuideEnabling HSTS without the includeSubDomains directive leaves subdomains unprotected and vulnerable to protocol downgrade attacks.
Read GuideAn XML entity expansion attack uses nested entities to crash the XML parser by exhausting memory and CPU resources (Denial of Service).
Read GuideUsing outdated or vulnerable front-end libraries (such as older jQuery or Bootstrap versions with known XSS flaws) exposes users to client-side injection.
Read GuideNavigating to third-party links from secure areas can leak sensitive tokens, IDs, or search queries contained in the URL via the HTTP Referer header.
Read Guide