The article analyses Markdown's minimalist design, its ambiguous syntax, security flaws such as ReDoS and XSS vulnerabilities, and the growing gap between its original simple transliteration goal and the complex compiler‑like features developers now demand.
This article details a step‑by‑step penetration test on a university’s web platform, covering XSS file uploads, JWT tampering for arbitrary login, massive personal data leakage, SQL injection payloads, and the exposure of several AK/SK secrets, all with concrete screenshots and commands.
Storing JWT tokens in localStorage has become a serious security risk because XSS attacks can steal them, so developers should adopt safer alternatives such as HttpOnly cookies, BFF‑backed sessions, or Service Worker‑based in‑memory storage, each with its own trade‑offs.
Learn the pros and cons of storing user tokens in localStorage, regular cookies, and HttpOnly cookies, understand XSS and CSRF risks, see practical migration steps, and get concise interview answers to impress hiring managers.
Storing JWT tokens in localStorage, once a common practice for front‑end authentication, now poses severe XSS risks; this article explains the vulnerabilities, compares HttpOnly cookies, BFF with cookies, and Service Worker‑based solutions, and recommends safer strategies for modern web applications.
This guide outlines essential PHP security best practices—including timely updates, prepared statements, output escaping, safe file uploads, session hardening, server configuration, input validation, framework usage, and additional tools—to help developers protect web applications from prevalent threats.
This comprehensive guide walks you through securing Spring Boot applications by configuring TLS, implementing Spring Security for authentication, CSRF, XSS and SQL injection defenses, hardening HTTP headers, scanning third‑party dependencies with OWASP Dependency‑Check, and applying best‑practice DevOps hardening steps for a defense‑in‑depth posture.
This article explains why storing JWT tokens in localStorage is unsafe due to XSS vulnerabilities, compares alternatives like HttpOnly cookies, BFF with cookies, and Service Workers, and offers guidance on choosing the most secure authentication strategy for modern frontend applications.
Even though modern browsers enforce sandboxing and many frameworks add XSS defenses, a successful cross‑site scripting attack can still break through server and browser protections, allowing attackers to hijack sessions, steal data, scan internal networks, exploit browser bugs, or run cryptojacking scripts.
The article reveals how a seemingly harmless XSS flaw in an internal development platform can be weaponized to steal high‑privilege credentials, pivot across internal services, and ultimately breach production systems, urging teams to treat development environments as critical security frontiers.
This article explains why frontend security is critical, outlines common attacks such as CSRF, XSS (stored, reflected, DOM), and clickjacking, and provides practical defense strategies including CSRF tokens, SameSite cookies, input validation, CSP, X‑Frame‑Options, and secure coding practices for modern web developers.
This article explains the fundamentals of Cross‑Site Scripting attacks, illustrates reflected, stored, and DOM‑based variants with concrete code examples, and presents a four‑step defense strategy—including input validation, output encoding, Content Security Policy, and WAF—to protect web applications.
This article explains how a comprehensive, full‑stack security approach using Spring Security—covering request sanitization, parameterized queries, and built‑in authentication, authorization, CSRF and session safeguards—can dramatically reduce XSS and SQL injection vulnerabilities to near zero.
Storing JWT tokens in localStorage, once a common practice for front‑end authentication, now poses severe XSS risks, prompting developers to adopt more secure methods such as HttpOnly cookies with SameSite protection, BFF‑backed session cookies, or Service Worker‑based token handling, each with trade‑offs.
Cross‑Site Scripting (XSS) is a common web security vulnerability where malicious scripts are injected into pages, and this article explains typical PHP XSS scenarios, demonstrates code examples, and outlines effective mitigation techniques such as htmlspecialchars(), HTML Purifier, proper headers, secure cookies, CSP, and best practices.
This article walks through two real-world security flaws—a high‑risk SQL injection and a medium‑risk stored XSS—showing how the CodeBuddy AI assistant can automatically detect, analyze, and remediate them with prepared statements and CSP enhancements, while explaining the underlying concepts and best practices.
Python 3.14 adds the PEP 750 T‑string syntax to address security risks in existing string formatting methods like f‑strings, offering a template‑based approach that enables safer handling of user input, SQL queries, and HTML rendering.
The article outlines prevalent front‑end security threats such as XSS, SQL injection, CSRF, MITM, clickjacking, misconfiguration, and vulnerable dependencies, explains their underlying principles, and recommends practical mitigations including input validation, CSP, HTTPS/TLS, CSRF tokens, secure headers, regular audits, and dependency scanning.
The Woodpecker team shows that AI‑generated code, exemplified by Simon Willison’s HTML slideshow tool, can embed unsanitized inputs that create exploitable XSS flaws, and they recommend zero‑trust AI prompts, rigorous input filtering, CSP, AI‑assisted scanning, and secure supply‑chain practices to mitigate such risks.
This article examines essential security measures for PHP applications, covering protection against SQL injection, XSS, CSRF, unsafe file uploads, session fixation, weak passwords, error disclosure, and the importance of HTTPS, with practical code examples and configuration tips to build more resilient web services.
This article explains what XSS attacks are, describes the three main XSS types, and provides practical JavaScript functions for sanitizing and restoring rich‑text content to protect web applications from high‑risk cross‑site scripting vulnerabilities.
This article explains how to protect Spring Boot web applications from Cross‑Site Scripting (XSS) attacks by introducing two main defense mechanisms—custom @XSS annotations and servlet filters—complete with implementation details, code examples, configuration steps, and testing results.
The article explains how to protect Spring Boot applications from XSS attacks by using custom annotations such as @XSS with an XssValidator and by implementing a request‑filter chain—including XssFilter and XssWrapper—to sanitize input, demonstrating through tests that both approaches reliably secure user data.
This comprehensive guide explains why network security matters, describes common attack vectors such as SQL injection, XSS, CSRF, file‑upload flaws, DDoS, ARP spoofing, DNS hijacking, routing protocol weaknesses, and TCP/UDP issues, and provides practical prevention measures for each threat.
This article demonstrates how oversized cookies and their attributes—expires, domain, path, and protocol—can be abused to inflate HTTP headers, trigger server‑side request‑size limits, and launch stealthy denial‑of‑service attacks via XSS and man‑in‑the‑middle techniques.
This article provides a comprehensive overview of web security, covering authentication, input validation, secure coding practices, SQL injection and XSS attack mechanisms, detection methods, defensive techniques, and best practices for secure file upload and download.
This article explains how Laravel’s built‑in features—such as Eloquent ORM, CSRF tokens, Blade auto‑escaping, the Hash facade, and the Encrypter service—help developers protect web applications against SQL injection, CSRF, XSS, insecure password storage, and data exposure.
This article provides a comprehensive overview of prevalent web and network security threats—including SQL injection, XSS, CSRF, file‑upload flaws, DDoS, ARP/RARP spoofing, DNS attacks, routing protocols, TCP/UDP differences, HTTP nuances, cookies vs. sessions, and SSL/TLS—along with practical prevention techniques for each.
This article explains what Cross‑Site Scripting (XSS) is, describes its various types and the severe threats it poses, and provides comprehensive defense techniques—including input/output validation, HTML/JavaScript encoding, HttpOnly cookies, and secure handling of URLs, CSS, and rich‑text content—to protect web applications from XSS attacks.
This article explains the principles of XSS attacks and demonstrates how to prevent them in PHP by using htmlspecialchars for output escaping, mysqli or PDO prepared statements for database queries, and the filter_var function with appropriate filters, providing clear code examples for each method.
This article explains the PHP htmlspecialchars() function, its syntax and parameters, demonstrates how to escape special characters, quotes, and specify encoding or disable double‑encoding, and shows how it helps prevent XSS attacks in web applications.
This article explains how to use PHP functions such as header(), mysqli_real_escape_string(), and htmlspecialchars() to enable cross-origin resource sharing, handle preflight OPTIONS requests, and protect against SQL injection and XSS attacks, thereby improving web security and user experience.
This article outlines essential PHP security techniques—including input validation and filtering, parameterized queries to prevent SQL injection, and output escaping to block XSS attacks—providing concrete code examples and emphasizing the need for ongoing security reviews.
This article outlines the most frequent security flaws found in PHP web applications—including SQL injection, XSS, CSRF, insecure file uploads, remote code execution, weak password storage, and session hijacking—and provides practical mitigation techniques for each.
This article presents practical Python examples for enhancing network security, covering symmetric and asymmetric encryption, hash functions, password hashing, SSL/TLS communication, SQL injection prevention, XSS mitigation, CSRF protection, and secure password storage to safeguard data and privacy.
This article explains the purpose, syntax, optional parameters, and practical examples of PHP's htmlspecialchars() function, demonstrating how to safely convert special characters to HTML entities, control encoding and flags, avoid double‑encoding, and follow important usage considerations for secure web development.
This article explains how to secure PHP web applications by performing code reviews, validating user input, preventing SQL injection and XSS, and using security testing tools such as PHP Security Scanner, OWASP ZAP, and Kali Linux, along with practical testing methods like boundary, authorization, and exception handling.
This article outlines key PHP security techniques—including input validation, dangerous character filtering, XSS mitigation, HttpOnly cookies, prepared statements, and session hardening—providing code examples to help developers safeguard their web applications against common attacks.
This article outlines the most common web attacks—including DDoS, XSS, SQL injection, and CSRF—explains how they compromise website security, and provides practical mitigation techniques such as traffic filtering, input validation, parameterized queries, CSRF tokens, and secure configuration to protect sites and user data.
This article explains how to combine reflected and stored cross‑site scripting attacks with same‑origin policy abuse to turn a low‑severity XSS vulnerability into a high‑severity issue, detailing discovery, exploitation steps, and a JavaScript payload that harvests user data.
This guide outlines practical Nginx configuration techniques to mitigate DDoS, SQL injection, path traversal, XSS, host header injection, clickjacking, and other security threats while also covering SSL/TLS encryption, server token hiding, and essential command‑line operations.
This article introduces PHP security library functions such as htmlspecialchars(), htmlentities(), and mysqli_real_escape_string(), demonstrating with code examples how they filter and validate user input to prevent XSS and SQL injection attacks, while noting that additional security measures are still required.
This article documents a complete horizontal privilege escalation attack, showing how modifying POST parameters, REST‑style paths, and cookies can lead to unauthorized view, edit, and delete of other users' data, followed by techniques to combine the flaw with XSS and CSRF for greater impact.
This article explains the concepts, classifications, and risks of XSS and SQL injection attacks, demonstrates how MyBatis and SpringBoot filters can be used to sanitize inputs and request bodies, and provides practical code examples for implementing robust web application security.
This article explains XSS attack types, SQL injection risks, and provides practical SpringBoot filter implementations with MyBatis prepared statements and custom deserializers to sanitize request parameters, JSON bodies, and prevent malicious script and database attacks.
A stored XSS vulnerability (CVE-2023-0050) in affected GitLab CE/EE versions allows attackers to execute arbitrary JavaScript via crafted Kroki diagrams, with a broad impact and remediation requiring upgrades to version 15.7.8 or later.
The article provides a detailed security analysis of the XiongHai CMS 1.0, describing its directory structure and exposing multiple vulnerabilities including file inclusion, SQL injection, XSS, and vertical privilege escalation, along with example exploit code.
This article documents a step‑by‑step solution for preventing XSS attacks in a Spring Boot application, covering input validation, a custom HttpServletRequestWrapper, filter registration, and Jackson serializers/deserializers to escape malicious HTML both on request parameters and JSON payloads.
This article explains how to protect a Spring Boot application from XSS attacks by validating input, wrapping HttpServletRequest, creating a servlet filter, and customizing Jackson serialization/deserialization to safely handle both form parameters and @RequestBody JSON payloads.
This article explains how to secure React applications by avoiding dangerous HTML injection methods, using proper sanitization, handling server‑side rendering safely, preventing JSON and URL injection, keeping dependencies up‑to‑date, and applying ESLint security rules.
This article walks through a full horizontal privilege escalation attack, showing how altering POST data, REST‑style URLs, and cookie fields can grant unauthorized view, edit, and delete rights, and how to amplify the impact with self‑XSS and CSRF techniques.
This article provides an in‑depth overview of JSON Web Tokens (JWT), explaining their structure, authentication workflow, advantages such as statelessness and CSRF protection, drawbacks like revocation difficulty, and presents practical solutions including blacklist, secret rotation, short‑lived tokens and refresh‑token strategies.
The article details a step‑by‑step investigation of a form‑submission cross‑origin error in a front‑back separated system, tracing the HTTP request flow through DNS, Nginx, Tomcat, and finally identifying a WAF XSS rule that blocked a specific moduleExport field, and explains how the issue was resolved by adjusting the WAF configuration.
The article recounts a real‑world incident where a JSON POST from a front‑end domain triggered a cross‑origin 418 error because a Web Application Firewall’s XSS filter mistakenly blocked a JavaScript validator field, and after the security team modified the WAF rules the issue was resolved, highlighting systematic debugging and deep knowledge of DNS, Nginx, ingress, Tomcat and WAF layers.
This article explains various methods to prevent XSS injection in PHP, covering the limitations of built‑in filters, proper use of htmlspecialchars and htmlentities, replacement techniques, and provides comprehensive PHP functions with code examples for sanitizing user input and removing malicious scripts.
This article provides a comprehensive overview of essential information security technologies, covering network attacks such as SQL injection, XSS, CSRF, DDoS, DNS and TCP hijacking, system vulnerabilities like stack overflow and privilege escalation, and core cryptographic concepts including symmetric/asymmetric encryption, key exchange, hashing, encoding, and multi‑factor authentication.
This article explains the principles, attack vectors, and mitigation techniques for three common web security threats—Cross‑Site Scripting (XSS), Cross‑Site Request Forgery (CSRF), and Clickjacking—detailing how malicious scripts are injected, how forged requests exploit user credentials, and how defensive headers, token strategies, and frame restrictions can protect applications.
This article provides a comprehensive PHP form validation tutorial, covering required and optional fields, validation rules using regular expressions, secure handling of user input with trim, stripslashes, and htmlspecialchars, prevention of XSS via $_SERVER['PHP_SELF'] sanitization, and includes complete example code for both the HTML form and processing script.
Recent Chinese security alerts claim hackers exploited Vue.js and SonarQube to launch XSS attacks and steal source code, but the Vue creator clarifies that the vulnerabilities stem from backend API authentication, not the framework itself, while still acknowledging potential XSS risks in Vue applications.
Recent rumors claimed that foreign hacker groups were exploiting SonarQube and Vue.js to attack government and enterprise systems, but investigation shows the SonarQube flaw is a pure backend API authentication issue unrelated to Vue, and Vue itself has no known security vulnerabilities when standard front‑end safety practices are followed.
This article educates front‑end engineers about common web security threats such as XSS, CSRF, directory exposure, SQL injection, command injection, DDoS, and hijacking, and provides practical mitigation techniques and best‑practice principles to build more secure web applications.
This article introduces web security testing, explains why it is essential, describes common vulnerabilities such as weak passwords, XSS, CSRF, SQL injection, authorization bypass, and file upload issues, and offers practical prevention measures and testing guidelines for developers and testers.
The article explains the nature of XSS, illustrates how attackers inject malicious scripts through user input, and provides practical prevention techniques such as HTML escaping, whitelist filtering, and reusable Node.js middleware with code examples and detailed usage.
This article compares three browser storage options for JWT—Cookie, localStorage, and sessionStorage—examining how each works, their automatic handling, and security implications such as CSRF and XSS, ultimately recommending Cookies with proper SameSite and HttpOnly settings for stronger protection.
This article compares three browser storage options for JWT—Cookie, localStorage, and sessionStorage—examining their automatic transmission, CSRF and XSS vulnerabilities, and security configurations such as SameSite and HttpOnly to help developers choose the safest method.
Egyptian security researchers discovered a chain of flaws in TikTok’s Android app—including generic WebView XSS, Add Wiki Activity XSS, intent-based component launch, a Zip Slip in Tma Test Activity, and an RCE exploit—that can be combined to achieve remote code execution, and the report details TikTok’s remediation steps.
This article explains the fundamentals of Cross‑Site Request Forgery (CSRF), illustrates typical attack scenarios and payloads, and details multiple defense strategies including CSRF tokens, SameSite cookies, and best‑practice validation techniques for web.
This article provides a comprehensive overview of Cross‑Site Scripting (XSS), covering its definition, impact, underlying mechanisms, classification, common injection vectors, defensive strategies, practical Q&A, and a curated list of reference resources for developers and security professionals.
This article explains what XSS attacks are, demonstrates simple exploitation scenarios, and provides a comprehensive solution using the mica-xss library with Spring MVC, including dependency setup, request filtering, testing methods, and the underlying Jsoup‑based implementation.
This article details Laiye Technology's end‑to‑end security strategy—including application hardening, password policies, brute‑force defenses, SQL injection, XSS and CSRF mitigations, privilege controls, secure file uploads, code‑review standards, and infrastructure vulnerability scanning—to protect sensitive data and AI‑driven robot platforms from a wide range of attacks.
This article explains common web security threats—including XSS, SQL injection, CSRF, CC, DoS, and DDoS—detailing their mechanisms, potential impacts, and practical defense strategies such as input validation, token usage, Referer checks, and resource limiting to protect applications and servers.
This article provides a comprehensive overview of Cross‑Site Scripting (XSS), explaining its definition, dangers, underlying mechanisms, classification into stored, reflected, and DOM‑based types, common injection vectors, and practical defense strategies, while also addressing common questions and resources for further learning.
The article explains why web applications must never trust client data, describes how PHP sessions are vulnerable to hijacking and fixation attacks, outlines typical attack vectors such as XSS, cookie theft, and brute‑force, and provides practical defense measures like HttpOnly cookies, token validation, and session regeneration.
This article explains what XSS attacks are, categorizes their types, and demonstrates how React’s automatic escaping, JSX compilation, and internal element validation work together to mitigate XSS vulnerabilities while highlighting common unsafe patterns and server‑side defenses.
This article explains the fundamentals of web security, outlines typical web architecture, classifies penetration testing approaches, enumerates common vulnerabilities such as SQL injection, XSS, file upload and deserialization, and discusses how attackers combine these flaws to launch advanced exploits.
This article explains several typical web security threats—including XSS, SQL injection, request forgery, CSRF, hotlink protection, upload/download vulnerabilities, and whitelist/blacklist misuse—while providing concrete Java code examples and practical defense techniques to mitigate each risk.
This article explains the differences between functional and security testing, introduces common web vulnerabilities such as SQL injection, cross‑site scripting (XSS), and cross‑site request forgery (CSRF), provides concrete code examples, and offers practical tips for detecting and preventing these issues.
This article explains the dangers of XSS and SQL injection attacks, demonstrates realistic attack scenarios, and provides a comprehensive backend solution using Spring AOP, HttpMessageConverter, custom Servlet Filters, request wrappers, and ESAPI to sanitize inputs and protect web applications.
This article explains the fundamentals of Cross‑Site Scripting (XSS) attacks, presents real‑world examples, classifies stored, reflected, and DOM‑based XSS, and provides comprehensive prevention, detection, and mitigation techniques for frontend developers, including proper escaping, whitelist schemes, CSP, and secure coding practices.
This article explains the three main types of XSS attacks, provides concrete examples, outlines common remediation techniques such as proper HTML escaping, and highlights seven practical considerations for functional regression testing and secure server‑side and client‑side handling.
This article explains why plain‑HTTP traffic is vulnerable, outlines encryption tricks, describes file‑path traversal, DNS spoofing, proxy risks, HTTP error codes, POST data formats, cookie security, CSRF, XSS, JSONP, and CORS, and provides practical mitigation techniques for each threat.
This article introduces the most common web application vulnerabilities—including SQL injection, XSS, CSRF, file upload, file inclusion, clickjacking, and URL redirect—explaining how attackers exploit them and the potential impacts on websites and their users.
Adopting a hacker’s mindset—seeing every UI element as a potential exploit, combining low‑severity flaws, and repurposing ordinary tools like USB HID—reveals hidden attack surfaces and teaches security professionals how to anticipate and defend against both simple and sophisticated threats.
This article explains what CSRF (Cross‑Site Request Forgery) is, illustrates its attack model, details the potential damages, walks through the attack process with examples, and outlines practical detection methods and multiple defense techniques including token‑based protection and referer checks.
This article reveals a collection of unconventional JavaScript techniques—including regex replacement, Unicode escapes, eval tricks, unusual operator combinations, custom getters/setters, and URL‑encoded payloads—that can evade common XSS filters and strengthen your understanding of web security.
The article introduces major web security threats such as XSS, injection, CSRF, explains their mechanisms with examples, and presents defensive measures including input sanitization, HttpOnly cookies, web application firewalls, and encryption methods like hashing, symmetric and asymmetric cryptography.
This comprehensive tutorial explains what XSS is, describes the three main attack types, illustrates how malicious scripts are injected and executed, and provides practical strategies—including encoding, validation, and Content Security Policy—to defend web applications against cross‑site scripting vulnerabilities.
This article explains the mechanics of SQL injection and XSS attacks, demonstrates common exploitation methods such as table‑name guessing, error‑based and union queries, shows a vulnerable authentication script, and provides practical defensive coding techniques to mitigate these threats.
This article explains what Cross‑Site Scripting (XSS) is, distinguishes non‑persistent and persistent attacks with real‑world URL examples, and outlines practical defense strategies such as proper escaping, character‑set handling, and content‑type settings to protect web applications.
This article outlines the most common web application security threats—including XSS, SQL injection, CSRF, transmission hijacking, credential leaks, brute‑force attacks, and token theft—and provides practical mitigation techniques such as proper escaping, CSP, parameterized queries, CSRF tokens, HTTPS, HSTS, HPKP, encrypted password storage, two‑factor authentication, and robust token handling.
This article explains common web security threats such as XSS and CSRF in a front‑end/back‑end separated architecture and demonstrates how the Midway framework provides HTML escaping, rich‑text filtering, and token‑based CSRF protection to safeguard user data and application integrity.
This article explores practical techniques for intercepting and protecting JavaScript APIs—such as setAttribute—using MutationObserver, API hooks, random token naming, property hiding, and recursive iframe monitoring to build a resilient front‑end defense against XSS and other injection attacks.
The article outlines front‑end web security tactics—blocking all user‑supplied external links, sanitizing rich‑text to prevent XSS and iframe abuse, nullifying window.opener to stop phishing redirects—while recommending CSP, whitelist CSS, sandboxed iframes, and click‑through confirmations as mitigations.
While traditional login pages that redirect to HTTPS offer limited protection, modern floating login boxes embedded in insecure HTTP pages expose users to HTTPS‑downgrade attacks, XSS hijacking, and cache‑poisoning that can harvest credentials, making full‑site HTTPS the only reliable defense.
Web traffic hijacking exploits the plaintext nature of HTTP to inject malicious scripts, steal cookies and saved passwords, poison caches or offline storage, bypass HTTPS redirects, and even compromise downloads, making unauthenticated browsing, auto‑fill features, and public Wi‑Fi especially dangerous without proper defenses.
