Blogs

As security researchers and professionals, we often find ourselves searching through countless resources, documentation, and references while working on projects or investigating vulnerabilities. Having a well-organized collection of links and resources can be invaluable for both learning and day-to-day work. This is exactly what appsec.fyi provides - a thoughtfully curated collection of application security resources that serves as a go-to reference point for security professionals. What is AppSec.fyi? AppSec.fyi describes itself as “a somewhat curated list of links to various topics in appsec. Mostly, but not always related to application security.” This humble description understates the value of what the site offers. At its core, it’s a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. ...

Variant hunting is one of the highest-impact activities in modern security research. Rather than looking for single, isolated vulnerabilities, variant hunting focuses on identifying patterns of flaws and tracking down all other instances of that pattern across products, codebases, or architectures. If a traditional vulnerability report is a single missing brick, variant hunting is discovering that the entire wall was built using the wrong blueprint. 🔍 What Exactly Is Variant Hunting? Variant hunting is the practice of: ...

1. Core Security Foundations Treat all input as untrusted. Validate strictly (whitelists over blacklists), normalize before checks, and enforce types and sizes. Use framework security features instead of writing your own. Least privilege: minimize DB, filesystem, and network permissions. Secrets management: use environment variables or secret stores, never hardcode. Dependency hygiene: pin and audit dependencies with pip-audit or Safety. Secure HTTP headers: add HSTS, X-Frame-Options, CSP, and others. Logging & monitoring: log relevant events, but never credentials. Testing: integrate Bandit and Semgrep in CI. 2. Preventing SQL Injection (SQLi) Principle: Never build queries using string concatenation. ...

Python 3.13: A Major Step Forward for Python Developers Released on October 7, 2024, Python 3.13 brings several high-impact enhancements—most notably a modernized REPL, experimental performance features, improved developer ergonomics, and valuable standard library upgrades. Real Python Python.org 1. A Smarter, More User-Friendly REPL Python 3.13’s interactive interpreter (REPL) is a substantial quality-of-life improvement: Block-level editing and history: Now, up-arrow lets you recall entire code blocks—no more juggling line-by-line history. ...

HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...

Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. This can lead to unauthorized access to sensitive data, manipulation of server behavior, or even exploitation of other services within the network. SSRF exploits the trust that a server has in its own requests, allowing attackers to leverage this trust to perform actions that would typically be restricted. ...

Defending Your Web Applications Against Server-Side Request Forgery (SSRF) Attacks In today’s interconnected digital landscape, web applications face a myriad of security threats. One often overlooked but potentially devastating vulnerability is Server-Side Request Forgery (SSRF). Did you know that, according to a recent report, SSRF attacks have increased by a staggering 270% in the past year alone? In this blog post, we’ll dive into what SSRF is, how it can impact your web applications, and most importantly, the steps you can take to defend against these insidious attacks. ...

The Python community never ceases to innovate. One of the most recent additions to Python’s vast feature set is “subinterpreters”. As the name suggests, subinterpreters provide a way to run multiple isolated Python interpreters within a single process. Let’s dive deeper into this novel concept and discuss its advantages and potential use cases. What are Subinterpreters? At a high level, each subinterpreter in Python has its own distinct memory space and execution state. This means that objects and modules created within one subinterpreter aren’t directly accessible from another. Imagine them as isolated rooms in the large house of the Python process, each running its own Python code, but unable to peek into the other rooms. ...

GitHub Copilot is an AI-powered coding assistant developed by GitHub in collaboration with OpenAI. It uses machine learning algorithms to assist developers in writing code by suggesting code snippets based on the context of the code being written. This powerful tool has the ability to autocomplete code, provide inline documentation, and generate entire functions, making coding easier and more efficient. GitHub Copilot is built on top of OpenAI’s GPT-3 language model, which has been trained on a vast amount of data from a variety of sources, including code repositories, documentation, and programming languages. With this vast amount of data, GitHub Copilot can understand the context of the code being written and provide relevant suggestions in real time. ...

Python is a powerful language with a rich set of libraries, making it an excellent choice for web scraping, automation, and data analysis. One such library is the Requests library, which makes it easy to make HTTP requests and handle HTTP responses in Python. In this blog post, we will explore how to get started with using the Requests library in Python. Installation The first step to using the Requests library is to install it. The easiest way to do this is using pip, Python’s package manager. Open a terminal or command prompt and run the following command: ...