A lot of people still picture it as a 2019-era party trick: tweak Content-Length, maybe sneak in a weird Transfer-Encoding, and hope a proxy somewhere gets confused. Sometimes it works, often it doesn’t, and the whole thing can feel like chasing ghosts. In 2025 alone, James Kettle's
OAuth 2.0 and OpenID Connect (OIDC) are so common now that they fade into the background. “Sign in with Google,” enterprise SSO, partner integrations, mobile apps requesting API access, underneath, it’s almost always OAuth. That ubiquity has a side effect: OAuth bugs keep appearing in real production systems,
JSON Web Tokens (JWTs) are the de facto authentication primitive across modern web applications, microservices, and APIs. Yet their flexibility, specifically the delegated algorithm selection embedded within each token, has repeatedly proven catastrophic. Six new critical CVEs affecting widely-deployed JWT libraries were disclosed in 2025 alone, with several enabling full
WebAssembly (WASM) has quietly become one of the most security-relevant technologies on the modern web. It powers everything from high-performance design tools and games to crypto wallets, DRM components, and proprietary business logic that companies don’t want to expose as plain JavaScript. From an attacker’s perspective, that last
Modern application security has largely grown up around a familiar set of assumptions: HTTP/1.1 requests, JSON bodies, predictable endpoints, and tooling that can intercept and rewrite traffic without much friction. gRPC breaks many of those assumptions, by design. gRPC is now a default choice for internal microservice communication
Security testing has become heavily automated. Black-box scanners and “one-click” tools do a solid job finding the obvious issues: basic injection points, missing headers, or low-effort misconfigurations. But there is a class of vulnerabilities that consistently slips through those nets, not because the tools are weak, but because the bug
Serverless computing is often sold as a security win by default. No servers to patch, no SSH, no open ports, and no long-lived hosts to compromise. That mindset leads to one of the most common (and most dangerous) misconceptions in modern cloud security: “If there is no server, there is
The Model Context Protocol (MCP) has quickly become one of the easiest ways to connect AI assistants to real systems. With MCP, an agent can talk to Jira, GitHub, databases like Postgres, or internal tooling without every team having to invent a custom integration from scratch. That speed, however, comes
The Model Context Protocol (MCP) was built to solve a practical problem: large language models do not know your internal context, so they need a standardized way to request it. In enterprise settings, that context is usually “safe-ish” and remote, such as Jira tickets, internal documentation, or a knowledge base.
Continuous Integration and Continuous Deployment (CI/CD) pipelines have become the backbone of modern software delivery. The same automation that helps teams ship quickly also concentrates power: a single workflow can build artifacts, deploy to production, rotate secrets, and manage infrastructure. For years, the most common way to connect GitHub
Kubernetes has become the default platform for running modern applications, especially microservices. That convenience, however, comes with a security reality that many teams underestimate: a Kubernetes “container boundary” is not the same as a virtual machine boundary. In many real incidents, attackers do not need a single catastrophic zero-day to
Modern web applications ship more logic to the browser than ever before. Single Page Applications (SPAs) rely heavily on JavaScript to handle routing, feature flags, and data access, which means the client often contains a surprisingly complete “map” of the backend it talks to. For security testers, that is an