https://chs.us/en-uscarl.sampson@gmail.com (Carl Sampson)carl.sampson@gmail.com (Carl Sampson)Sun, 12 Apr 2026 21:17:44 -0400https://chs.us/guides/xss/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/xss/A practitioner's reference for Cross-Site Scripting — attack surface, context-aware payloads, filter/WAF/CSP bypass techniques, framework-specific vulnerabilities, real-world chains, and detection/prevention. Compiled from 294 research sources.Security-GuidesXssWeb-SecurityJavascriptPenetration-Testinghttps://chs.us/guides/ssrf/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/ssrf/A practitioner's reference for Server-Side Request Forgery — attack surface, exploitation techniques, bypass methods, real-world chains, and detection/prevention. Compiled from 385 research sources.Security-GuidesSsrfWeb-SecurityCloud-SecurityPenetration-Testinghttps://chs.us/guides/sqli/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/sqli/A practitioner's reference for SQL Injection — attack classes, exploitation techniques, database-specific payloads, WAF bypass methods, ORM/NoSQL variants, real-world CVEs, and detection/prevention. Compiled from 35 research sources.Security-GuidesSqliDatabase-SecurityWeb-SecurityPenetration-Testinghttps://chs.us/guides/csrf/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/csrf/A practitioner's reference for Cross-Site Request Forgery — attack surface, exploitation techniques, SameSite and token bypasses, real-world chains, and detection/prevention. Compiled from 38 research sources.Security-GuidesCsrfWeb-SecuritySession-ManagementPenetration-Testinghttps://chs.us/guides/idor/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/idor/A practitioner's reference for Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) — attack surface, enumeration patterns, bypass techniques, real-world writeups, detection workflow, and prevention. Compiled from 22 research sources.Security-GuidesIdorAuthorizationWeb-SecurityPenetration-Testinghttps://chs.us/guides/rce/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/rce/A practitioner's reference for Remote Code Execution — vulnerability classes, exploitation primitives, language-specific chains, real-world CVEs, and detection/prevention. Compiled from 95 research sources.Security-GuidesRceCode-InjectionWeb-SecurityPenetration-Testinghttps://chs.us/guides/xxe/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/xxe/A practitioner's reference for XML External Entity injection — fundamentals, parser quirks, in-band and out-of-band exfiltration, parameter entity chains, file-format vectors, real-world CVEs, tooling, and hardening. Compiled from 41 research sources.Security-GuidesXxeXml-SecurityWeb-SecurityPenetration-Testinghttps://chs.us/guides/deserialization/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/deserialization/A practitioner's reference for insecure deserialization — language-specific attack surface, gadget chain mechanics, real-world CVE chains, tools, and detection/prevention. Compiled from 49 research sources.Security-GuidesDeserializationObject-InjectionWeb-SecurityPenetration-Testinghttps://chs.us/guides/graphql/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/graphql/A practitioner's reference for attacking and defending GraphQL APIs — discovery, introspection, schema recovery, injection, authorization flaws, batching, DoS, subscriptions, CSRF/CSWSH, engine-specific quirks, and detection/prevention. Compiled from 31 research sources.Security-GuidesGraphqlApi-SecurityWeb-SecurityPenetration-Testinghttps://chs.us/guides/api-security/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/api-security/A practitioner's reference for API security — attack surface, OWASP API Top 10 exploitation, authentication and authorization bypasses, GraphQL-specific attacks, rate limit evasion, API gateway hardening, open banking compliance, AI/MCP risks, real-world chains, and detection/prevention. Compiled from 49 research sources.Security-GuidesApi-SecurityWeb-SecurityAuthenticationPenetration-Testinghttps://chs.us/guides/authz/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/authz/A practitioner's reference for Broken Access Control (OWASP A01) — the models, bug classes, bypass techniques, real-world chains, and detection/prevention patterns that matter in modern web and API testing. Compiled from 80 research sources.Security-GuidesAuthorizationAccess-ControlWeb-SecurityPenetration-Testinghttps://chs.us/guides/mobile/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/mobile/A practitioner's reference for iOS and Android application security — threat models, platform attack surface, reverse engineering, runtime instrumentation, bypass techniques, testing methodology, and defensive controls. Compiled from 34 research sources.Security-GuidesMobile-SecurityIos-SecurityAndroid-SecurityPenetration-Testinghttps://chs.us/guides/python/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/python/A practitioner's defensive reference for securing Python applications — dangerous APIs, deserialization pitfalls, framework-specific risks, supply chain attacks, LLM-era CVEs, static analysis tooling, and hardening patterns. Compiled from 184 research sources.Security-GuidesPython-SecurityWeb-SecuritySupply-Chain-SecurityStatic-Analysishttps://chs.us/guides/fuzzing/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/fuzzing/A practitioner's reference for fuzz testing — fundamentals, coverage feedback, harness construction, corpus strategy, sanitizer usage, and the tool stack for web, binary, kernel, API, and smart-contract targets. Compiled from 46 research sources.Security-GuidesFuzzingTestingVulnerability-ResearchSecurity-Testinghttps://chs.us/guides/recon/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/recon/A practitioner's reference for web reconnaissance — attack surface discovery, subdomain enumeration, live host probing, content discovery, JS mining, cloud asset hunting, automation, and continuous monitoring. Compiled from 23 research sources.Security-GuidesReconnaissanceAttack-SurfaceEnumerationPenetration-Testinghttps://chs.us/guides/osint/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/osint/A practitioner's reference for Open Source Intelligence — methodology, collection disciplines, tooling, pivoting techniques, and operational security. Compiled from 34 research sources.Security-GuidesOsintIntelligence-GatheringReconnaissanceSocial-Engineeringhttps://chs.us/guides/secrets/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/secrets/A practitioner's reference for secrets sprawl, credential leakage, detection, remediation, and hardening. Compiled from 54 research sources covering GitGuardian State of Secrets Sprawl 2025/2026, OWASP Secrets Management Cheat Sheet, TruffleHog, Gitleaks, real-world breaches (Trivy/European Commission, Shai-Hulud, LiteLLM, EleKtra-Leak, .env extortion campaigns, GCP SecOps SIEM token leak), AI-era leakage patterns (Claude Code source leak, vibe-coding fingerprints, ChatGPT API key exposure), certificate/private key leak research (Google-GitGuardian), GitHub search syntax for secret discovery, vault hardening (HashiCorp Vault production guide, AWS SM vs Vault, Infisical, SOPS+age), Terraform/Kubernetes secrets management, IAM Roles Anywhere, shift-left speed budgets, and NHI governance guidance.Security-GuidesSecrets-ManagementCredential-LeakageSecurity-ToolingDevops-Securityhttps://chs.us/guides/bug-bounty/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/bug-bounty/A practitioner's reference for modern bug bounty hunting — methodology, platforms, reconnaissance pipelines, vulnerability hunting, exploit chaining, report writing, and career strategy. Compiled from 98 research sources.Security-GuidesBug-BountyVulnerability-ResearchEthical-HackingPenetration-Testinghttps://chs.us/guides/supply-chain/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/supply-chain/A defender's reference for software supply chain risks — threat model across the SDLC, package-registry attack patterns, CI/CD hardening, artifact provenance and signing, SBOMs, dependency scanning, case studies, and a checklist. Compiled from 54 research articles, advisories, and incident writeups in `raw/Supply Chain/`.Security-GuidesSupply-Chain-SecurityDevops-SecurityDependency-SecurityCi-Cd-Securityhttps://chs.us/guides/burp-suite/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/burp-suite/A practitioner's reference for Burp Suite — core tools, essential extensions, Bambdas and BChecks, Collaborator, macros and session handling, custom extension development, Burp AI, and real-world testing workflows. Compiled from 71 research sources.Security-GuidesBurp-SuiteWeb-TestingSecurity-ToolsPenetration-Testinghttps://chs.us/guides/ai/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/ai/A practitioner's reference for securing Large Language Model and agentic AI systems — attack surface, exploitation techniques, real-world CVE chains, payloads, and layered detection/prevention. Compiled from 60 research sources (OWASP, NVIDIA AI Red Team, Unit 42, Lakera/Check Point, NCSC, CrowdStrike/Pangea, Equixly, Anthropic, OpenAI, Microsoft MSRC, Google, AWS, MITRE ATLAS, Penligent, Red Hat, Pillar Security, JFrog, AuthZed, Trend Micro, Nature, and independent researchers).Security-GuidesAi-SecurityLlm-SecurityPrompt-InjectionMachine-Learninghttps://chs.us/guides/authentication/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/authentication/A practitioner's reference for authentication security — protocols, mechanisms, vulnerabilities, exploitation techniques, and defense strategies. Covers traditional and modern authentication methods from enterprise to web applications. Compiled from 55 research sources.Security-GuidesAuthenticationSso-SecurityMfa-SecurityWeb-Securityhttps://chs.us/guides/jwt/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/jwt/A practitioner's reference for JSON Web Token security -- vulnerabilities, exploitation techniques, attack vectors, implementation flaws, and defense strategies. Covers algorithm confusion, signature bypass, header injection, key confusion, library-specific issues, cryptographic attacks, attack chaining, and secure implementation patterns. Compiled from 42 research sources.Security-GuidesJwt-SecurityToken-SecurityAuthenticationWeb-Securityhttps://chs.us/guides/ssti/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/ssti/A practitioner's reference for Server-Side Template Injection — template engine vulnerabilities, exploitation techniques, payload development, framework-specific attacks, and defense strategies. Covers detection methodologies, engine-specific exploitation, and secure templating practices. Compiled from 40 research sources.Security-GuidesSstiTemplate-InjectionRceWeb-Securityhttps://chs.us/guides/talks/Fri, 10 Apr 2026 00:00:00 +0000carl.sampson@gmail.com (Carl Sampson)https://chs.us/guides/talks/A practitioner's reference for the global security conference circuit — where research is published, which venues matter for which subject areas, how to pick talks, and how to submit your own. Compiled from 35 research sources.Security-GuidesSecurity-ConferencesTalksResearchCtf