Application-Security

Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform. By the Numbers The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed. ...

I run about a dozen MCP servers in my daily workflow. Playwright for browser automation, Raindrop for bookmarks, Todoist for tasks, a couple of custom ones. Every time I start a Claude Code session, my agent loads all of their tool descriptions into context and uses them to decide what to call. Last month I started thinking about what would happen if one of those tool descriptions was lying to me. ...

A high-severity SSRF vulnerability (CVSS 8.6) was disclosed on February 25, 2026 in changedetection.io, a popular open-source tool for monitoring web page changes. The bug is a textbook example of a failed allowlist/denylist approach to URL validation — and the default unauthenticated configuration makes it exploitable by anyone with network access to the instance. What is changedetection.io? changedetection.io is a self-hosted service that watches URLs for content changes and alerts you when something changes. It’s commonly used by developers, researchers, and sysadmins to monitor pages, APIs, and dashboards. The tool fetches URLs on your behalf — which is exactly the trust relationship SSRF attacks exploit. ...

As security professionals, we spend a lot of time searching through resources, documentation, and references while working on projects or investigating vulnerabilities. I got tired of hunting for the same links over and over, so I built AppSec.fyi — a curated collection of application security resources that serves as the go-to reference I always wanted. What is AppSec.fyi? AppSec.fyi is a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. I describe it as “a somewhat curated list of links to various topics in appsec” — though that undersells it a bit at this point. ...

HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...

Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. This can lead to unauthorized access to sensitive data, manipulation of server behavior, or even exploitation of other services within the network. SSRF exploits the trust that a server has in its own requests, allowing attackers to leverage this trust to perform actions that would typically be restricted. ...

Defending Your Web Applications Against Server-Side Request Forgery (SSRF) Attacks In today’s interconnected digital landscape, web applications face a myriad of security threats. One often overlooked but potentially devastating vulnerability is Server-Side Request Forgery (SSRF). Did you know that, according to a recent report, SSRF attacks have increased by a staggering 270% in the past year alone? In this blog post, we’ll dive into what SSRF is, how it can impact your web applications, and most importantly, the steps you can take to defend against these insidious attacks. ...

The Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware security weaknesses maintained by the MITRE Corporation. It assigns each type of vulnerability a unique identifier, a description, and guidance on prevention. If you work in application security — or write code that needs to be secure — CWE is a foundational reference. What CWE Is (and Is Not) CWE describes types of weaknesses, not specific bugs in specific software. A single CWE entry like CWE-79 (Cross-Site Scripting) covers every instance of that weakness across every application that has ever been vulnerable to it. ...

XML External Entity (XXE) injection exploits applications that parse XML input without disabling external entity resolution. If the XML parser is misconfigured (which many are by default), an attacker can define custom entities that read local files, make network requests, or cause denial of service. These payloads are for authorized security testing only. What is XXE? When an XML parser processes a document, it can resolve entities defined in the DOCTYPE declaration. External entities use the SYSTEM keyword to reference files or URLs. If the parser resolves these without restriction, the attacker controls what the server reads and where it sends data. ...