By sending a legitimate JSON payload that injects MongoDB operators such as $gt or $ne into the password field, attackers can trick a Node.js‑Express login endpoint into authenticating any user, illustrating how NoSQL injection bypasses authentication and how to detect and mitigate it.
The author recounts a multi‑day incident response to a ThinkPHP website that was compromised via a weak admin password, detailing how repeated data tampering, hidden scheduled‑task scripts, and a ransom message were investigated, mitigated, and finally contained through systematic hardening and monitoring.
This comprehensive guide explains the browser same‑origin policy, why cross‑origin restrictions exist, and walks through five major solutions—CORS, proxy servers, JSONP, postMessage, and WebSocket—detailing their principles, advantages, drawbacks, configuration examples, and best‑practice recommendations for interview scenarios.
Shannon, an autonomous AI-driven penetration testing agent, bridges the speed‑security gap created by rapid AI‑assisted coding by automatically analyzing source code, mapping attack paths, and executing real exploits, achieving a 96.15% success rate on the XBOW benchmark and uncovering over 20 critical flaws in the OWASP Juice Shop demo.
This guide walks through 30 hands‑on web penetration testing techniques covering the full workflow—from information gathering and vulnerability discovery to privilege escalation, internal network pivoting, and defense evasion—providing concrete commands, tool recommendations, and real‑world tips for security engineers and testers.
This article explains the principle and step‑by‑step flow of Cross‑Site Request Forgery attacks, illustrates common exploitation techniques such as forged GET/POST requests and click‑bait links, and outlines practical defenses including POST usage, HttpOnly cookies, CSRF tokens, and double‑submit cookie validation.
This article explains the background and security concerns behind the deprecation of the JavaScript document.domain API, details browser warnings, and provides a step‑by‑step migration guide using postMessage, Channel Messaging, and proper CORS configuration to keep web applications functional.
Learn the pros and cons of storing user tokens in localStorage, regular cookies, and HttpOnly cookies, understand XSS and CSRF risks, see practical migration steps, and get concise interview answers to impress hiring managers.
This article explains how HTTPS upgrades plain HTTP by adding authentication, encryption, and integrity checks, walks through its three security layers, traces the protocol’s evolution from SSL 2.0 to TLS 1.3, and discusses the practical benefits, costs, and adoption challenges of securing web traffic.
This article explains why HTTPS is essential for secure web communication, detailing how it upgrades plain HTTP by adding certificate‑based identity verification, TLS handshake negotiation, and AES‑GCM encryption with MAC verification to protect against eavesdropping, tampering, and phishing attacks.
This article explains the fundamentals of CORS, reviews traditional workarounds, and shows how the Fetch API with mode:'cors' and import assertions can provide concise, secure cross‑origin requests while outlining upcoming web security policies.
This comprehensive guide explores the fundamentals of authentication and authorization, detailing how credentials, cookies, and sessions work together, and compares traditional session-based approaches with modern token-based solutions such as JWT, covering their mechanisms, advantages, drawbacks, and best practices for secure, scalable web applications.
This article explains the browser's same‑origin policy, why it exists to prevent attacks such as XSS and CSRF, how origins are defined by protocol, host and port, and how CORS, simple requests, and preflight requests enable controlled cross‑origin communication.
This article explains the fundamentals of CORS, compares traditional workarounds, and demonstrates how modern Fetch API options, import assertions, and emerging web policies like CORP, COOP, and COEP provide simpler, more secure cross‑origin solutions for frontend developers.
This article explains why HTTPS is considered secure, details the underlying TLS handshake—including certificate verification and symmetric data encryption—and clarifies common misconceptions such as the role of CAs, the possibility of man‑in‑the‑middle attacks, and whether HTTPS traffic can be intercepted.
The article explains the purpose and historical popularity of the document.domain property for cross‑subdomain communication, details its deprecation across major browsers due to security and maintenance concerns, and provides practical migration strategies using postMessage, Channel Messaging API, and proper CORS configuration.
This article explains the fundamentals of HTTP and HTTPS, compares their features, details how internet messages travel through DNS, routers, IP and MAC addresses, describes request and response structures, ports, encryption methods, cookies versus sessions, and provides a comprehensive summary of their differences.
This article demystifies authentication concepts—Cookie, Session, Token, JWT, and OAuth2—using clear analogies, explains their inner workings, advantages, drawbacks, and provides practical guidance on when to choose each mechanism for modern web applications.
Learn what CORS (Cross-Origin Resource Sharing) is, why browsers block cross-origin requests, and how to configure servers—using Java, Express.js, or Spring Boot—to handle preflight checks, simple requests, and fine-grained security headers, ensuring safe and functional web applications.
This guide walks through constructing a high‑performance, cost‑effective enterprise‑level Web Application Firewall using OpenResty, covering why OpenResty is ideal, core architecture, modules for request lifecycle management, IP control, rate limiting, SQL injection and XSS detection, intelligent CC protection, monitoring, performance tuning, deployment tips, real‑world case study, and future enhancements.
This article explains the fundamentals of CORS, reviews traditional workarounds, and demonstrates how the Fetch API, import assertions, and emerging web policies provide simpler, more secure solutions for cross‑origin requests in modern frontend development.
This article explains the same‑origin policy, why browsers enforce it, how CORS works—including simple requests, preflight OPTIONS checks, required headers, and credential handling—while providing practical examples and a complete request‑flow diagram for secure web development.
XiaYue, a powerful Burp Suite extension, automates vertical and horizontal privilege escalation detection by comparing responses across multiple permission levels, offering smart deduplication, advanced filtering, parameter replacement, visual data tables, persistent configuration, and performance optimizations, while the author also shares a heartfelt story about their child's school start.
This comprehensive guide walks operations engineers through why Apache security matters, presents core hardening strategies such as hiding server details, blocking directory traversal, enforcing strict security headers, limiting request sizes, and applying IP rate‑limiting, and provides advanced techniques, verification commands, common pitfalls, and an actionable checklist to build a resilient web server.
This article demystifies the differences between Cookie, Session, Token, JWT, and OAuth2, explains their underlying mechanisms, shows practical Spring code examples, compares their security properties and suitable scenarios, and provides clear guidance on choosing the right authentication strategy for modern web applications.
This tutorial walks you through adding Spring Security to a Spring Boot project, from adding the starter dependency and creating a simple controller to observing the default login page, understanding the auto‑generated password mechanism, and customizing usernames and passwords for production use.
This article explains why frontend security is critical, outlines common attacks such as CSRF, XSS (stored, reflected, DOM), and clickjacking, and provides practical defense strategies including CSRF tokens, SameSite cookies, input validation, CSP, X‑Frame‑Options, and secure coding practices for modern web developers.
ZAP (Zed Attack Proxy) is an OWASP open-source web application security testing tool that offers proxy interception, active and passive scanning, integrates with CI/CD pipelines, and supports manual and automated testing to detect vulnerabilities such as SQL injection, XSS, SSRF, and compliance issues.
This article explains the fundamentals of Cross‑Site Scripting attacks, illustrates reflected, stored, and DOM‑based variants with concrete code examples, and presents a four‑step defense strategy—including input validation, output encoding, Content Security Policy, and WAF—to protect web applications.
This article explains how a comprehensive, full‑stack security approach using Spring Security—covering request sanitization, parameterized queries, and built‑in authentication, authorization, CSRF and session safeguards—can dramatically reduce XSS and SQL injection vulnerabilities to near zero.
ZAP (Zed Attack Proxy), an OWASP open‑source web application security testing tool, offers proxy interception, active and passive scanning, CI/CD integration via Docker or command line, and is suited for penetration testing, DevSecOps, and compliance checks such as OWASP Top 10 and PCI DSS.
This article explores why you might need to block copying on a web page—such as paid content, exams, or sensitive data—and presents three front‑end techniques (CSS user‑select, JavaScript event handling, and clipboard modification) with code examples, pros, cons, and practical considerations.
This article explains the fundamentals of the browser's same-origin policy, its security implications, how it restricts DOM, web data and network access, and provides a detailed overview of CORS, including simple requests, preflight checks, required headers, and best practices for safe cross-origin communication.
The HTTP Referer header, a ubiquitous but often overlooked request field, records the source page of a user, aids traffic analysis, enables anti‑hotlinking and CSRF protection, and carries a historic misspelling that led to the Referrer‑Policy standards governing privacy and security.
This article explains what browser fingerprinting is, outlines common techniques such as Navigator, Canvas, and WebGL fingerprints, and provides complete JavaScript examples that collect device information and generate stable hashes, helping developers understand and implement device‑unique identifiers for identity verification.
This guide explains how to answer the common interview question “Can you talk about HTTPS?” by covering its fundamental differences from HTTP, the role of SSL/TLS, confidentiality, integrity and authentication, the TLS handshake process, performance considerations, certificate chains, and how to present this knowledge to showcase both depth and breadth of security expertise.
Cross‑Site Scripting (XSS) is a common web security vulnerability where malicious scripts are injected into pages, and this article explains typical PHP XSS scenarios, demonstrates code examples, and outlines effective mitigation techniques such as htmlspecialchars(), HTML Purifier, proper headers, secure cookies, CSP, and best practices.
This article explains the browser's same‑origin policy, its role in preventing XSS, CSRF and other attacks, details the protocol, host and port rules, illustrates with examples, and then describes CORS, simple and preflight requests, credential handling, and provides a complete request flow diagram.
This tutorial explains the browser same‑origin policy, demonstrates a cross‑origin request failure between two servers, and shows how to configure Nginx with appropriate Access‑Control headers to enable CORS and allow the client to retrieve JSON data safely.
This article introduces Spring Boot 3's filter mechanism, outlines core functions and application scenarios, and provides detailed code examples for eight built‑in filters such as CharacterEncodingFilter, CorsFilter, and HiddenHttpMethodFilter, helping developers build secure and efficient web applications.
The article explains the fundamentals of the browser's same‑origin policy, the security risks it mitigates, how Cross‑Origin Resource Sharing (CORS) works—including simple and preflight requests—and best practices for handling credentials and header restrictions.
This article explains the fundamental differences between HTTP and HTTPS, how internet messages travel through DNS and routers, the roles of IP and MAC addresses, port conventions, request/response structures, encryption methods, digital certificates, and compares cookies with server‑side sessions for state management.
This article explains how to use PHP's LDAP functions to connect to an LDAP server, bind an account, and authenticate users, providing clear code examples for each step in a typical web application authentication workflow.
This article explains the fundamentals of QR code login, covering QR code basics, token‑based authentication, the step‑by‑step process from QR generation to device polling, scanning, confirmation, and token exchange, and discusses security considerations and implementation details for web, PC, and mobile platforms.
This article explains the fundamental differences between HTTP and HTTPS, how internet messages travel through DNS and routers, the roles of ports, request and response structures, encryption methods, digital certificates, and compares cookies with sessions for state management.
This article explains the fundamentals of CORS, reviews traditional mitigation methods, and demonstrates how modern Fetch API options, import assertions, and emerging web standards provide concise, secure ways to handle cross‑origin requests in frontend development.
This article demonstrates how to embed a hidden Facebook Like button that automatically registers likes as the user moves the mouse, using HTML, CSS positioning, JavaScript event handling, and the Facebook SDK, while keeping the element invisible to the user.
This guide provides a comprehensive, step‑by‑step hardening roadmap for Nginx, covering version hiding, directory protection, HTTPS enablement, custom error pages, CSP, file permissions, security headers, connection limits, IP whitelisting, SSL optimization, secure file uploads, common attack mitigations, logging best practices, and additional hardening measures to protect web services from a wide range of threats.
This article explains the fundamentals of SQL injection attacks, demonstrates step‑by‑step exploitation using the DVWA platform—including data extraction, login bypass, and injection point detection—and outlines practical prevention techniques such as input validation, regex filtering, and prepared statements.
A former Bilibili front‑end engineer inserted malicious code that displays a fake ban screen, deletes users' uploaded videos at high speed, and reveals how insider threats can turn a popular video platform into a security nightmare.
A former Bilibili engineer inserted malicious JavaScript into the platform's web frontend, causing some users to see a fake account‑ban notice, which exposed internal code‑review weaknesses and sparked widespread discussion about insider threats and web security.
This article explains the fundamentals of PHP session management, covering how sessions store and transmit user data across pages, essential functions like session_start() and $_SESSION, practical code examples, and common pitfalls to avoid for secure and efficient web applications.
This guide explains the fundamentals of CORS, walks through typical misconfigurations such as HeaderDisallowedByPreflightResponse, Nginx header ordering, and Origin‑Credentials conflicts, and provides complete Nginx examples to reliably enable cross‑origin requests.
Enterprises should follow a six‑phase plan—inventorying domains, securing and installing SSL certificates, configuring servers, redirecting traffic, updating links and sitemaps, testing, and finally enforcing HTTPS‑only access—while monitoring performance impacts such as latency, bandwidth, CPU load, and handshake overhead.
This guide outlines comprehensive, actionable steps for PHP developers to build secure applications by using the latest PHP version, enforcing HTTPS, sanitizing input, managing passwords, preventing XSS and CSRF, handling sessions, logging errors, securing file uploads, and applying the principle of least privilege.
This article outlines essential Laravel security practices, including built‑in authentication, CSRF protection, input validation, HTTPS enforcement, secure session handling, regular dependency updates, and rate limiting, providing developers with concrete steps to protect web applications from common attacks.
This article explains the fundamental differences between HTTP and HTTPS, covering security vulnerabilities, authentication mechanisms, encryption methods, default ports, and performance impacts, helping developers understand why HTTPS is essential for protecting sensitive data on the web.
JSON Web Token (JWT) is a compact, self‑contained, stateless token that encodes header, payload, and signature in Base64URL, enabling secure, signature‑verified authentication without server‑side session storage, simplifying scaling, supporting cross‑domain use, while offering advantages like lightweight extensibility and drawbacks such as revocation difficulty and secret‑key reliance.
This article provides a detailed tutorial on iframe usage in web front‑end development, covering responsive sizing based on the parent window, dynamic height adjustment via postMessage, handling HTTP/HTTPS mismatches, cross‑origin issues, and security considerations such as X‑Frame‑Options.
This tutorial explains how to install LuaJIT, ngx_devel_kit, and lua‑nginx‑module, compile Nginx with Lua support, resolve common libluajit errors, optionally install OpenResty, and configure the ngx_lua_waf module to protect web applications.
This article explains the fundamentals of the browser same‑origin policy, details how CORS and preflight requests work, and discusses related security considerations, while also promoting a ChatGPT community and related services for developers.
This article explains the fundamentals of the same‑origin policy, the security risks it mitigates, and how CORS and preflight requests work in browsers, illustrating the concepts with diagrams, header details, and a complete request flow chart.
This article explains the fundamentals of JSON Web Tokens (JWT), compares token‑based authentication with traditional session authentication, outlines common security threats such as theft, replay, and forgery, and presents practical measures—including HTTPS, encryption, secure storage, short lifetimes, two‑factor authentication, and safe token refresh—to protect token integrity in modern web applications.
This article explains the fundamentals of the Same-Origin Policy, its security implications for DOM, data, and network access, and provides a detailed walkthrough of CORS, including simple requests, preflight requests, and handling of credentials to protect web applications.
This article explains the fundamentals of JSON Web Tokens (JWT), compares token-based authentication with traditional session methods, outlines common security threats such as theft, replay and forgery, and provides practical mitigation measures including HTTPS, encryption, secure storage, short lifetimes, two‑factor authentication, and safe token refresh strategies.
This article explains the browser's Same‑Origin Policy, its role in preventing XSS, CSRF and other attacks, and details how Cross‑Origin Resource Sharing (CORS) works, including simple requests, preflight requests, credential handling, and provides a complete request flow diagram.
The article explains how HTTP’s stateless nature requires session or token mechanisms for preserving user state, compares session‑based and JWT token authentication, details JWT structure, and provides Java code examples for generating, verifying, and extracting token information, while also promoting related services.
This article demonstrates how oversized cookies and their attributes—expires, domain, path, and protocol—can be abused to inflate HTTP headers, trigger server‑side request‑size limits, and launch stealthy denial‑of‑service attacks via XSS and man‑in‑the‑middle techniques.
This article explains the fundamentals of the same‑origin policy, its impact on DOM, web data and network requests, and provides a detailed overview of CORS, simple requests, preflight requests, and the necessary response headers to securely enable cross‑origin communication in modern browsers.
This article explains the PHP setcookie function, detailing its syntax, parameter meanings, and provides multiple practical examples for creating cookies with various lifetimes, paths, domains, and security flags, helping developers effectively manage client-side data in web applications.
This article explains backend web security concepts, detailing logical threats such as CSRF and CORS, their mechanisms, and protection strategies, and then discusses data security measures including access control, encryption, backups, monitoring, and software updates to safeguard web applications.
This article demonstrates how a NextJS SSRF vulnerability (CVE‑2024‑34351) can be exploited by abusing the HTTP Host header, walks through the underlying code, reproduces the attack to retrieve a protected flag file, and discusses mitigation strategies for developers.
This article explains the OAuth2.0 authorization protocol, distinguishes it from single sign‑on, describes its core entities and step‑by‑step flow, and outlines how web servers, user agents, and native applications interact to securely obtain access tokens for protected resources.
This article provides a comprehensive overview of web security, covering authentication, input validation, secure coding practices, SQL injection and XSS attack mechanisms, detection methods, defensive techniques, and best practices for secure file upload and download.
Understanding the SameSite attribute lets developers control cookie transmission across sites, balancing security and usability by choosing Strict for maximum protection, Lax for a user‑friendly compromise, or None (with Secure) for cross‑site scenarios, with practical code examples and usage guidelines.
This article explains the core architecture of Spring Security 6.x, detailing how a chain of servlet Filters implements authentication and authorization, the role of DelegatingFilterProxy, SecurityFilterChain, and the extensible components such as AuthenticationManager, UserDetailsService, and PasswordEncoder.
This article explains how Laravel’s built‑in features—such as Eloquent ORM, CSRF tokens, Blade auto‑escaping, the Hash facade, and the Encrypter service—help developers protect web applications against SQL injection, CSRF, XSS, insecure password storage, and data exposure.
This article explains the concept, definitions, and three deployment types of Single Sign-On (SSO), introduces the Central Authentication Service (CAS) mechanism, and details step‑by‑step login and logout processes across multiple web applications, illustrating each flow with diagrams and examples.
Web application penetration testing is a systematic security assessment that identifies vulnerabilities such as SQL injection, XSS, CSRF, insecure authentication, and file‑upload flaws, using methods ranging from black‑box to manual testing, and follows best practices like OWASP guidelines to protect data, privacy, and system integrity.
This article explains what JWT and Session are, compares their storage, state management, security, performance, cross‑domain support, expiration, use cases, logout mechanisms, and one‑time use scenarios, and helps you decide which authentication approach best suits your application’s needs.
This article explains how to secure file uploads in web applications by validating file types, enforcing size limits, and preventing upload vulnerabilities through safe storage practices, providing PHP code examples for each protective measure.
HTTPS secures web traffic by combining symmetric and asymmetric encryption, digital signatures, and certificate authorities within the TLS protocol to ensure confidentiality, integrity, authentication, and non‑repudiation, replacing insecure HTTP and becoming mandatory for modern browsers, servers, and platforms despite earlier concerns about cost and complexity.
This article explains how to use PHP's LDAP functions to connect to an LDAP server, bind with credentials, and authenticate users, providing step‑by‑step code examples for each stage.
Learn how Cross-Origin Resource Sharing (CORS) works, when it’s needed, the role of preflight requests, essential HTTP headers, and step-by-step Spring Boot solutions—including @CrossOrigin annotations, global configuration, and custom filters—to securely enable cross-domain calls in your applications.
This article provides a detailed, step‑by‑step tutorial for installing and activating Burp Suite Professional, covering file extraction, PowerShell script execution, license entry, manual activation, and final verification, complemented by screenshots for each major step.
This guide shows how to create a tiny gzip‑compressed file, serve it with FastAPI, and exploit automatic decompression in Python's requests library to force a crawler to consume massive memory, effectively turning compression into a denial‑of‑service weapon.
This article explains what CSRF attacks are, how they exploit authenticated browsers through forged requests, outlines the three essential conditions for a successful attack, and presents practical defense measures such as token validation, cookie handling, secondary authentication, and code examples in Java and JSP.
This guide explains how web servers should differentiate between missing authentication information and invalid credentials, detailing when to return 401 Unauthorized or 403 Forbidden, the associated response flows, security best practices, and user‑experience considerations to improve safety and clarity.
This article explains why browsers may issue a duplicate POST request by exploring the same‑origin policy, the mechanics of CORS, the criteria for simple requests, the structure of preflight OPTIONS requests, credential handling, and how development tools like Webpack Dev Server bypass these restrictions.
Advanced interception techniques—such as overriding browser APIs, using ServiceWorkers, employing MutationObservers, creating Proxy‑based sandboxes, and configuring server‑side gateways—provide a flexible middle layer for error reporting, request monitoring, micro‑frontend isolation, and remote debugging, while demanding careful adherence to security policies.
This article explains the same‑origin policy, its role in restricting DOM, data, and network access, introduces Cross‑Origin Resource Sharing (CORS) with simple and preflight requests, and outlines how servers should configure headers to safely enable cross‑origin communication.
This article explains the principles, provides code examples, and outlines preventive measures for LDAP and SQL injection attacks in PHP, helping developers understand how these vulnerabilities work and how to secure their web applications through input validation, parameter binding, and access control.
Cross-Origin Resource Sharing (CORS) extends the Same-Origin Policy by permitting controlled cross‑origin requests through simple and preflight flows, using specific headers and credential rules, thereby balancing web security against threats like XSS, CSRF, and injection attacks while enabling safe resource sharing.
This article explains what Cross‑Site Scripting (XSS) is, describes its various types and the severe threats it poses, and provides comprehensive defense techniques—including input/output validation, HTML/JavaScript encoding, HttpOnly cookies, and secure handling of URLs, CSS, and rich‑text content—to protect web applications from XSS attacks.
This article explains the same‑origin policy, its role in protecting web applications, how browsers enforce it through DOM, web‑data, and network restrictions, and how Cross‑Origin Resource Sharing (CORS) and preflight requests enable controlled cross‑origin communication while maintaining security.
Chrome DevTools now shows a Self‑XSS warning when an inexperienced user tries to paste code, using a simple heuristic that checks for at least five console‑history entries, requiring the user to type “allow pasting” before execution, to protect against social‑engineered attacks that could steal data or hijack accounts.
This tutorial explains how to install Apache, create a simple HTML page, and develop JavaScript and PHP components to build a basic web‑based keylogger, while emphasizing legal and ethical considerations for its use.
This article explains the fundamentals of the browser Same‑Origin Policy, the security risks it mitigates, and how Cross‑Origin Resource Sharing (CORS) with simple and preflight requests enables controlled cross‑domain communication while protecting user data.
This article explains the browser's Same-Origin Policy, its impact on DOM, data, and network access, and how Cross-Origin Resource Sharing (CORS) and preflight requests enable controlled cross-origin communication while preserving security.
This article explains what SQL injection is, demonstrates a vulnerable example, and presents four practical defenses for Java applications—including PreparedStatement, MyBatis #{} placeholders, request‑parameter filtering, and Nginx reverse‑proxy rules—complete with code snippets and configuration details.
