Stay informed about web application security threats, vulnerabilities, and defense strategies. These posts cover topics including OWASP Top 10 risks, secure development practices, input validation, authentication flaws, and best practices for protecting web apps from exploitation.
posts
A 20-Year-Old Exploit Still Topping the Charts In 2023, the MOVEit Transfer vulnerability — a SQL injection flaw — led to the compromise of over 2,600 organizations and roughly 90 million individuals' records. One vulnerability. One technique that's been publicly documented since the early 2000s. And it still
A 20-Year-Old Vulnerability Still Dominating Breach Reports In 2023, the MOVEit Transfer vulnerability (CVE-2023-34362) compromised over 2,600 organizations and exposed data on more than 77 million individuals. At its core, the exploit was a SQL injection. The Cl0p ransomware gang used it to steal data from federal agencies, major
In September 2024, a security researcher discovered a stored cross-site scripting vulnerability in a major email platform that allowed attackers to execute arbitrary JavaScript the moment a victim opened a crafted message. No clicks required beyond reading the email. The vulnerability sat unpatched for weeks. If you think XSS is
A 20-Year-Old Attack Still Dominating the Headlines In late 2022, the FBI and CISA issued a joint advisory warning about ongoing exploitation of a SQL injection vulnerability in a widely used healthcare software platform. The flaw had been known for years. The patches existed. And yet, threat actors kept walking
British Airways Lost $230 Million Because of a Script In 2018, British Airways disclosed a breach that exposed the payment card details of roughly 380,000 customers. The attack vector? A malicious script injected into the airline's payment page — a textbook cross-site scripting exploitation. The UK's
In March 2021, security researchers discovered that Accellion's file transfer appliance had been exploited through — you guessed it — an SQL injection vulnerability. The Clop ransomware gang leveraged the flaw to steal data from dozens of organizations, including Shell, Bombardier, and multiple U.S. universities. This wasn't
The Attack That Hides in Plain Sight on Your Website In 2018, British Airways disclosed a breach that compromised the personal and financial data of roughly 380,000 customers. The attack vector? A modified JavaScript injected into the airline's payment page — a textbook cross-site scripting attack that skimmed
In 2023, the MOVEit Transfer vulnerability — a SQL injection flaw — led to the compromise of over 2,600 organizations and exposed data on more than 77 million individuals. One vulnerability. One injection point. Billions in damage. And here's what should keep you up at night: SQL injection has
In 2018, British Airways disclosed a breach that exposed the personal and financial data of roughly 380,000 customers. The attack vector? A modified JavaScript injected into the airline's payment page — a textbook cross-site scripting exploit. The UK's Information Commissioner's Office initially proposed a
