Blogs

Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform. By the Numbers The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed. ...

I run about a dozen MCP servers in my daily workflow. Playwright for browser automation, Raindrop for bookmarks, Todoist for tasks, a couple of custom ones. Every time I start a Claude Code session, my agent loads all of their tool descriptions into context and uses them to decide what to call. Last month I started thinking about what would happen if one of those tool descriptions was lying to me. ...

There’s no Python library for parsing Content Security Policy headers. I checked PyPI, I checked GitHub — nothing. Google has a CSP Evaluator web tool and an npm package, but if you want to analyze CSP programmatically in Python — for recon scripts, bug bounty automation, or CI pipelines — you’re on your own. So I built one. csp-toolkit is a Python library and CLI tool that parses CSP headers, runs 21 weakness checks, finds bypass vectors against a database of 79 known-exploitable domains, scores policies A+ to F, and does a lot more. The current release is v0.6.2 on PyPI (changelog). ...

Use-after-free (UaF) vulnerabilities are one of the most exploited classes of memory corruption bugs. They’ve been at the heart of browser zero-days, Linux kernel privilege escalations, and countless CVEs. Despite being well understood, they remain stubbornly common — a testament to how easy they are to introduce and how hard they are to catch with conventional testing. What Is a Use-After-Free? A use-after-free occurs when a program: Allocates a chunk of memory on the heap Frees that memory (returning it to the allocator) Continues to use a pointer that still references the now-freed region The memory is no longer “owned” by the program. The allocator is free to give it to something else. When the program reads or writes through the dangling pointer, it’s operating on memory that may now belong to an entirely different object — or may have been zeroed, corrupted, or repurposed by an attacker. ...

A high-severity SSRF vulnerability (CVSS 8.6) was disclosed on February 25, 2026 in changedetection.io, a popular open-source tool for monitoring web page changes. The bug is a textbook example of a failed allowlist/denylist approach to URL validation — and the default unauthenticated configuration makes it exploitable by anyone with network access to the instance. What is changedetection.io? changedetection.io is a self-hosted service that watches URLs for content changes and alerts you when something changes. It’s commonly used by developers, researchers, and sysadmins to monitor pages, APIs, and dashboards. The tool fetches URLs on your behalf — which is exactly the trust relationship SSRF attacks exploit. ...

As security professionals, we spend a lot of time searching through resources, documentation, and references while working on projects or investigating vulnerabilities. I got tired of hunting for the same links over and over, so I built AppSec.fyi — a curated collection of application security resources that serves as the go-to reference I always wanted. What is AppSec.fyi? AppSec.fyi is a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. I describe it as “a somewhat curated list of links to various topics in appsec” — though that undersells it a bit at this point. ...

Variant hunting is one of the highest-impact activities in modern security research. Rather than looking for single, isolated vulnerabilities, variant hunting focuses on identifying patterns of flaws and tracking down all other instances of that pattern across products, codebases, or architectures. If a traditional vulnerability report is a single missing brick, variant hunting is discovering that the entire wall was built using the wrong blueprint. 🔍 What Exactly Is Variant Hunting? Variant hunting is the practice of: ...

1. Core Security Foundations Treat all input as untrusted. Validate strictly (whitelists over blacklists), normalize before checks, and enforce types and sizes. Use framework security features instead of writing your own. Least privilege: minimize DB, filesystem, and network permissions. Secrets management: use environment variables or secret stores, never hardcode. Dependency hygiene: pin and audit dependencies with pip-audit or Safety. Secure HTTP headers: add HSTS, X-Frame-Options, CSP, and others. Logging & monitoring: log relevant events, but never credentials. Testing: integrate Bandit and Semgrep in CI. 2. Preventing SQL Injection (SQLi) Principle: Never build queries using string concatenation. ...

Python 3.13: A Major Step Forward for Python Developers Released on October 7, 2024, Python 3.13 brings several high-impact enhancements—most notably a modernized REPL, experimental performance features, improved developer ergonomics, and valuable standard library upgrades. Real Python Python.org 1. A Smarter, More User-Friendly REPL Python 3.13’s interactive interpreter (REPL) is a substantial quality-of-life improvement: Block-level editing and history: Now, up-arrow lets you recall entire code blocks—no more juggling line-by-line history. ...

HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...