I’ve been hunting access control bugs for over a decade, and let me tell you - they’re everywhere. When OWASP moved broken access control to #1 in 2025 and merged SSRF into this category, I wasn’t surprised. I was relieved that the security community finally caught up to what I’ve been seeing in the wild. 94% of applications tested have broken access control issues. That’s not a typo - it’s a security apocalypse hiding in plain sight. ...
I’ve been working with the OWASP Top 10 for years, and the 2025 update just dropped some major changes that every developer needs to understand. Supply chain attacks finally made it into the top 10 (as A03), and honestly, it’s about time. I’ve been seeing these attacks destroy companies for the past few years. Here’s the thing about OWASP Top 10 2025: it’s not just updating the old list - it’s completely rethinking modern threats. Security misconfiguration jumped from #5 to #2, and they merged SSRF into broken access control because that’s how attackers actually chain these vulnerabilities together. ...
CSRF and SSRF sound like they’re related - they both have “request forgery” in the name, after all. But they’re completely different beasts that’ll bite you in completely different ways. I’ve spent way too many nights debugging both of these vulnerabilities, and the confusion between them has cost teams serious security incidents. Let me break down exactly what each one does and how to stop them before they wreck your app. ...
Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform. By the Numbers The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed. ...
I run about a dozen MCP servers in my daily workflow. Playwright for browser automation, Raindrop for bookmarks, Todoist for tasks, a couple of custom ones. Every time I start a Claude Code session, my agent loads all of their tool descriptions into context and uses them to decide what to call. Last month I started thinking about what would happen if one of those tool descriptions was lying to me. ...
A high-severity SSRF vulnerability (CVSS 8.6) was disclosed on February 25, 2026 in changedetection.io, a popular open-source tool for monitoring web page changes. The bug is a textbook example of a failed allowlist/denylist approach to URL validation — and the default unauthenticated configuration makes it exploitable by anyone with network access to the instance. What is changedetection.io? changedetection.io is a self-hosted service that watches URLs for content changes and alerts you when something changes. It’s commonly used by developers, researchers, and sysadmins to monitor pages, APIs, and dashboards. The tool fetches URLs on your behalf — which is exactly the trust relationship SSRF attacks exploit. ...
As security professionals, we spend a lot of time searching through resources, documentation, and references while working on projects or investigating vulnerabilities. I got tired of hunting for the same links over and over, so I built AppSec.fyi — a curated collection of application security resources that serves as the go-to reference I always wanted. What is AppSec.fyi? AppSec.fyi is a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. I describe it as “a somewhat curated list of links to various topics in appsec” — though that undersells it a bit at this point. ...
HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server. How HTTP Request Smuggling Works Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization. ...
Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. This can lead to unauthorized access to sensitive data, manipulation of server behavior, or even exploitation of other services within the network. SSRF exploits the trust that a server has in its own requests, allowing attackers to leverage this trust to perform actions that would typically be restricted. ...
I’ve been dealing with SSRF vulnerabilities for years, and they’re honestly one of the scariest bugs you’ll encounter. While everyone obsesses over XSS and SQL injection, SSRF quietly lets attackers break into your internal network and steal your cloud credentials. The worst part? Most developers don’t even know their code is vulnerable until it’s too late. Update 2026: SSRF has been consolidated into A01: Broken Access Control in the OWASP Top 10 2025, reflecting how attackers actually chain SSRF with access control bypasses. This guide covers SSRF-specific defenses, but check the complete OWASP 2025 analysis for the broader access control security picture. ...
The Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware security weaknesses maintained by the MITRE Corporation. It assigns each type of vulnerability a unique identifier, a description, and guidance on prevention. If you work in application security — or write code that needs to be secure — CWE is a foundational reference. Quick Answer: What is CWE? CWE (Common Weakness Enumeration) is a standardized catalog of software security weaknesses that: ...
XML External Entity (XXE) injection exploits applications that parse XML input without disabling external entity resolution. If the XML parser is misconfigured (which many are by default), an attacker can define custom entities that read local files, make network requests, or cause denial of service. These payloads are for authorized security testing only. What is XXE? When an XML parser processes a document, it can resolve entities defined in the DOCTYPE declaration. External entities use the SYSTEM keyword to reference files or URLs. If the parser resolves these without restriction, the attacker controls what the server reads and where it sends data. ...