Specific attack vectors, weakness types, and how to prevent them.
18 articlesA supply chain attack targets software dependencies, build tools, or third-party services used by an application — compromising many downstream targets through a single upstream breach.
Broken access control occurs when an application fails to properly enforce what authenticated users are permitted to do, allowing attackers to access unauthorized data or functionality.
Broken authentication describes flaws in authentication and session management that allow attackers to compromise passwords, keys, or session tokens — and temporarily or permanently assume other users' identities.
A buffer overflow occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory — potentially enabling arbitrary code execution or application crashes.
Command injection is an attack where an attacker injects shell commands into an application input that gets passed to a system shell, enabling arbitrary command execution on the host.
CSRF is an attack that tricks authenticated users into unknowingly submitting requests to a web application — executing actions they did not intend using their existing session credentials.
Dependency confusion is a supply chain attack where a malicious public package with the same name as a private internal package causes package managers to install the malicious version.
Hardcoded secrets are credentials, API keys, or cryptographic keys embedded directly in source code — creating persistent exposure risk whenever code is accessed, shared, or committed to version control.
Insecure deserialization occurs when an application deserializes untrusted data without validation, potentially allowing attackers to manipulate objects, escalate privileges, or execute arbitrary code.
Malicious code is any code intentionally designed to cause harm — including viruses, trojans, backdoors, logic bombs, and cryptominers — that can be introduced through supply chains, contributions, or compromised dependencies.
The OWASP Top 10 is the most widely recognized list of critical web application security risks, published by the Open Web Application Security Project.
Path traversal (directory traversal) is an attack where an attacker manipulates file path inputs to access files outside the intended directory, potentially exposing sensitive server files.
Prototype pollution is a JavaScript vulnerability where an attacker can modify Object.prototype, injecting properties that are inherited by all objects and potentially causing security bypasses or RCE.
Security misconfiguration occurs when systems, frameworks, cloud services, or applications are deployed with insecure default settings, unnecessary features enabled, or missing hardening controls.
SQL injection is an attack where malicious SQL code is inserted into a query through unvalidated user input, allowing attackers to read, modify, or delete database data.
SSRF is an attack where an attacker causes a server to make requests to unintended targets, enabling access to internal services, cloud metadata, and restricted network resources.
Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into trusted websites and executed in victims' browsers, enabling session hijacking, credential theft, and more.
XXE injection exploits XML parsers that process external entity references, enabling attackers to read local files, perform SSRF, or cause denial of service via malicious XML documents.