I’ve been hunting access control bugs for over a decade, and let me tell you - they’re everywhere. When OWASP moved broken access control to #1 in 2025 and merged SSRF into this category, I wasn’t surprised. I was relieved that the security community finally caught up to what I’ve been seeing in the wild. 94% of applications tested have broken access control issues. That’s not a typo - it’s a security apocalypse hiding in plain sight. ...
I’ve been working with the OWASP Top 10 for years, and the 2025 update just dropped some major changes that every developer needs to understand. Supply chain attacks finally made it into the top 10 (as A03), and honestly, it’s about time. I’ve been seeing these attacks destroy companies for the past few years. Here’s the thing about OWASP Top 10 2025: it’s not just updating the old list - it’s completely rethinking modern threats. Security misconfiguration jumped from #5 to #2, and they merged SSRF into broken access control because that’s how attackers actually chain these vulnerabilities together. ...
🛡️ OWASP Top 10 2025 Series Complete guides to modern web application security vulnerabilities 📚 Complete Guide OWASP Top 10 2025: Complete Developer Guide Comprehensive overview of all vulnerabilities, rankings, and modern threat landscape 🎯 Individual Vulnerability Guides A01: Broken Access Control Includes SSRF A02: Security Misconfiguration Jumped to #2 A03: Software Supply Chain Coming Next A04: Cryptographic Failures Coming Soon A05: Injection Coming Soon A06: Vulnerable Components Coming Soon A07: Authentication Failures Coming Soon A08: Integrity Failures Coming Soon A09: Logging & Monitoring Coming Soon A10: Exception Handling Coming Soon 👨💻 Written by Carl Sampson • Security researcher with 15+ years experience • OWASP Indianapolis Chapter founder ...
I’ve been hunting SSRF bugs in Python applications for over five years, and the number of vulnerable codebases I encounter is honestly terrifying. Flask apps with requests.get(user_input) scattered everywhere. Django views that blindly fetch URLs from form data. FastAPI endpoints that turn your server into an attacker’s proxy. The worst part? Most developers don’t realize they’re building SSRF vulnerabilities until it’s too late. By then, attackers have already stolen your AWS credentials or mapped your entire internal network. ...
CSRF and SSRF sound like they’re related - they both have “request forgery” in the name, after all. But they’re completely different beasts that’ll bite you in completely different ways. I’ve spent way too many nights debugging both of these vulnerabilities, and the confusion between them has cost teams serious security incidents. Let me break down exactly what each one does and how to stop them before they wreck your app. ...
Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform. By the Numbers The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed. ...
I run about a dozen MCP servers in my daily workflow. Playwright for browser automation, Raindrop for bookmarks, Todoist for tasks, a couple of custom ones. Every time I start a Claude Code session, my agent loads all of their tool descriptions into context and uses them to decide what to call. Last month I started thinking about what would happen if one of those tool descriptions was lying to me. ...
There’s no Python library for parsing Content Security Policy headers. I checked PyPI, I checked GitHub — nothing. Google has a CSP Evaluator web tool and an npm package, but if you want to analyze CSP programmatically in Python — for recon scripts, bug bounty automation, or CI pipelines — you’re on your own. So I built one. csp-toolkit is a Python library and CLI tool that parses CSP headers, runs 21 weakness checks, finds bypass vectors against a database of 79 known-exploitable domains, scores policies A+ to F, and does a lot more. The current release is v0.6.2 on PyPI (changelog). ...
Use-after-free (UaF) vulnerabilities are one of the most exploited classes of memory corruption bugs. They’ve been at the heart of browser zero-days, Linux kernel privilege escalations, and countless CVEs. Despite being well understood, they remain stubbornly common — a testament to how easy they are to introduce and how hard they are to catch with conventional testing. What Is a Use-After-Free? A use-after-free occurs when a program: Allocates a chunk of memory on the heap Frees that memory (returning it to the allocator) Continues to use a pointer that still references the now-freed region The memory is no longer “owned” by the program. The allocator is free to give it to something else. When the program reads or writes through the dangling pointer, it’s operating on memory that may now belong to an entirely different object — or may have been zeroed, corrupted, or repurposed by an attacker. ...
A high-severity SSRF vulnerability (CVSS 8.6) was disclosed on February 25, 2026 in changedetection.io, a popular open-source tool for monitoring web page changes. The bug is a textbook example of a failed allowlist/denylist approach to URL validation — and the default unauthenticated configuration makes it exploitable by anyone with network access to the instance. What is changedetection.io? changedetection.io is a self-hosted service that watches URLs for content changes and alerts you when something changes. It’s commonly used by developers, researchers, and sysadmins to monitor pages, APIs, and dashboards. The tool fetches URLs on your behalf — which is exactly the trust relationship SSRF attacks exploit. ...
As security professionals, we spend a lot of time searching through resources, documentation, and references while working on projects or investigating vulnerabilities. I got tired of hunting for the same links over and over, so I built AppSec.fyi — a curated collection of application security resources that serves as the go-to reference I always wanted. What is AppSec.fyi? AppSec.fyi is a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. I describe it as “a somewhat curated list of links to various topics in appsec” — though that undersells it a bit at this point. ...
Variant hunting is one of the highest-impact activities in modern security research. Rather than looking for single, isolated vulnerabilities, variant hunting focuses on identifying patterns of flaws and tracking down all other instances of that pattern across products, codebases, or architectures. If a traditional vulnerability report is a single missing brick, variant hunting is discovering that the entire wall was built using the wrong blueprint. Quick Answer: What is Variant Hunting? Variant hunting is a security research methodology that: ...
I’ve been writing Python applications for over a decade, and I’ve seen every possible way to screw up security. The good news? Most Python security issues fall into predictable patterns that you can defend against systematically. This guide covers the three vulnerabilities that keep showing up in my security reviews: SSRF, SQL injection, and XSS. Master these defenses, and you’ll stop 80% of the attacks before they start. 📊 OWASP 2025 Context: These vulnerabilities map directly to the OWASP Top 10 2025 - SSRF is now part of A01 Broken Access Control, injection dropped to A05 (thanks to better frameworks), while misconfigurations jumped to #2. Understanding the current threat landscape helps you prioritize your security efforts. ...
Python 3.13: A Major Step Forward for Python Developers Released on October 7, 2024, Python 3.13 brings several high-impact enhancements—most notably a modernized REPL, experimental performance features, improved developer ergonomics, and valuable standard library upgrades. Real Python Python.org 1. A Smarter, More User-Friendly REPL Python 3.13’s interactive interpreter (REPL) is a substantial quality-of-life improvement: Block-level editing and history: Now, up-arrow lets you recall entire code blocks—no more juggling line-by-line history. ...
HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...
Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. This can lead to unauthorized access to sensitive data, manipulation of server behavior, or even exploitation of other services within the network. SSRF exploits the trust that a server has in its own requests, allowing attackers to leverage this trust to perform actions that would typically be restricted. ...
I’ve been dealing with SSRF vulnerabilities for years, and they’re honestly one of the scariest bugs you’ll encounter. While everyone obsesses over XSS and SQL injection, SSRF quietly lets attackers break into your internal network and steal your cloud credentials. The worst part? Most developers don’t even know their code is vulnerable until it’s too late. Update 2026: SSRF has been consolidated into A01: Broken Access Control in the OWASP Top 10 2025, reflecting how attackers actually chain SSRF with access control bypasses. This guide covers SSRF-specific defenses, but check the complete OWASP 2025 analysis for the broader access control security picture. ...
Python’s subinterpreters provide a way to run multiple isolated Python interpreters within a single process. Each subinterpreter has its own memory space, module state, and execution context — like separate Python processes, but sharing the same OS process and its resources. This feature has been in development for years and became practically usable in Python 3.12+ with PEP 684 (per-interpreter GIL). What Are Subinterpreters? Each subinterpreter runs its own Python code with its own: ...
GitHub Copilot is an AI-powered coding assistant developed by GitHub in collaboration with OpenAI. It uses large language models trained on public code repositories to suggest code completions, generate entire functions, and assist with a wide range of programming tasks directly in your editor. Quick Answer: What is GitHub Copilot? GitHub Copilot is an AI-powered coding assistant that: Suggests code completions and entire functions in real-time Uses OpenAI’s language models trained on billions of lines of public code Integrates directly into popular editors (VS Code, JetBrains, Neovim) Supports dozens of programming languages and frameworks Helps developers write code faster by understanding context and intent Works like “autocomplete for code” but with AI understanding of programming patterns How It Works Copilot is powered by OpenAI’s Codex and GPT-4-class models (the underlying models have evolved significantly since launch). It analyzes the context of your current file — comments, function signatures, variable names, surrounding code — and generates suggestions in real time. ...
The Requests library is the de facto standard for making HTTP requests in Python. It wraps the complexities of urllib into a clean, intuitive API that reads almost like English. Whether you’re calling APIs, scraping pages, or automating web interactions, Requests is usually the right tool. Installation pip install requests Making a GET Request import requests response = requests.get("https://jsonplaceholder.typicode.com/posts/1") print(response.status_code) # Output: 200 print(response.json()) # Output: {'userId': 1, 'id': 1, 'title': '...', 'body': '...'} Use .json() to parse JSON responses directly — no need to import json and call json.loads() separately. ...
The Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware security weaknesses maintained by the MITRE Corporation. It assigns each type of vulnerability a unique identifier, a description, and guidance on prevention. If you work in application security — or write code that needs to be secure — CWE is a foundational reference. Quick Answer: What is CWE? CWE (Common Weakness Enumeration) is a standardized catalog of software security weaknesses that: ...
List slicing is one of Python’s most elegant features — a concise syntax for extracting portions of a list without writing explicit loops. Once you internalize the [start:end:step] pattern, you’ll use it constantly. Basic Syntax list[start:end:step] start — index of the first element to include (default: beginning) end — index of the first element to exclude (default: end) step — interval between elements (default: 1) The key insight: start is inclusive, end is exclusive. ...
The in operator is one of Python’s most intuitive keywords. It checks whether a value exists inside a container — a list, tuple, set, dictionary, or string — and returns True or False. Simple as it sounds, understanding when and how to use it (and its performance implications) makes a real difference in your code. Lists and Tuples fruits = ['apple', 'banana', 'cherry'] if 'apple' in fruits: print("Apple is in the list") # Output: Apple is in the list Tuples work identically: ...
Dunder methods — short for “double underscore” methods — are Python’s mechanism for letting your classes hook into the language’s built-in behavior. When you write len(obj), Python calls obj.__len__(). When you write a + b, Python calls a.__add__(b). Understanding dunders is the key to writing classes that feel native to Python. What is a Dunder Method? A dunder method has a name surrounded by double underscores: __init__, __str__, __add__, etc. Python defines dozens of these hooks. You override them in your classes to customize how instances behave with operators, built-in functions, and language constructs. ...
List comprehensions are one of Python’s most distinctive features — a concise, readable syntax for creating lists from existing iterables. They replace verbose for loops with a single expressive line, and they’re faster too, because the iteration happens in C under the hood rather than through the Python bytecode interpreter. Basic Syntax [expression for item in iterable if condition] expression — the value to include in the new list item — a temporary variable that takes each value from the iterable iterable — any object you can loop over: list, tuple, string, range, generator condition (optional) — a filter that includes only items that pass the test Simple Examples Squares of even numbers: ...
Magic methods (also called dunder methods) are special methods surrounded by double underscores that let you define how your class instances interact with Python’s built-in operations. When you use + on two objects, Python calls __add__. When you call len(), Python calls __len__. This reference covers the most commonly used magic methods organized by category. Initialization and Lifecycle Method Triggered By Purpose __init__(self, ...) MyClass() Initialize instance attributes __new__(cls, ...) Before __init__ Control instance creation (rarely needed) __del__(self) Object garbage collected Cleanup (prefer context managers instead) class User: def __init__(self, name, email): self.name = name self.email = email user = User("Carl", "carl@example.com") String Representation Method Triggered By Purpose __str__(self) str(obj), print(obj) Human-readable string __repr__(self) repr(obj), REPL display Developer/debug string __format__(self, spec) format(obj, spec), f-strings Custom formatting class Point: def __init__(self, x, y): self.x = x self.y = y def __repr__(self): return f"Point({self.x}, {self.y})" def __str__(self): return f"({self.x}, {self.y})" p = Point(3, 4) print(repr(p)) # Point(3, 4) print(p) # (3, 4) Comparison Operators Method Operator __eq__(self, other) == __ne__(self, other) != __lt__(self, other) < __le__(self, other) <= __gt__(self, other) > __ge__(self, other) >= from functools import total_ordering @total_ordering class Temperature: def __init__(self, celsius): self.celsius = celsius def __eq__(self, other): return self.celsius == other.celsius def __lt__(self, other): return self.celsius < other.celsius freezing = Temperature(0) boiling = Temperature(100) print(freezing < boiling) # True print(freezing >= boiling) # False (from @total_ordering) With @total_ordering, you only need __eq__ and one of __lt__/__gt__ — Python derives the rest. ...
Python has numerous cool features that make it one of the most popular programming languages in the world. Here are five that stand out — with code to prove it. 1. Readability and Simplicity Python’s clean syntax emphasizes readability, making it easy for both beginners and experienced programmers to understand code at a glance: # Reading a file is straightforward and safe with open("data.txt") as f: for line in f: print(line.strip()) The with statement handles resource cleanup automatically. The intent of the code is obvious. Compare this to the equivalent boilerplate in Java or C++ and the difference is striking. ...
XML External Entity (XXE) injection exploits applications that parse XML input without disabling external entity resolution. If the XML parser is misconfigured (which many are by default), an attacker can define custom entities that read local files, make network requests, or cause denial of service. These payloads are for authorized security testing only. What is XXE? When an XML parser processes a document, it can resolve entities defined in the DOCTYPE declaration. External entities use the SYSTEM keyword to reference files or URLs. If the parser resolves these without restriction, the attacker controls what the server reads and where it sends data. ...
Content Security Policy (CSP) is a browser security mechanism that controls which resources a web page is allowed to load. By declaring a policy via HTTP header, you tell the browser exactly which scripts, styles, images, fonts, and connections are permitted. Anything not explicitly allowed is blocked. CSP is one of the most effective defenses against Cross-Site Scripting (XSS) and data injection attacks. How CSP Works CSP is delivered as an HTTP response header: ...
Context managers are Python’s answer to resource management — ensuring that files get closed, locks get released, and database connections get returned to the pool, even when exceptions occur. The with statement makes this pattern concise and reliable. The with Statement The most common context manager is open() for file handling: with open("example.txt", "w") as file: file.write("Hello, World!") # File is automatically closed here, even if write() raises an exception Without with, you’d need a try/finally block: ...