Browser extensions occupy a uniquely dangerous position in the security landscape. They are installed by users who trust them, they run inside the browser with elevated privileges, and they can touch every page you visit. More importantly, the security research community has largely ignored them in favour of server-side bugs,
There's a mental model most developers carry around about localhost: it's safe because it's not accessible from the internet. The firewall doesn't touch it. External traffic can't reach it. Whatever's running on 127.0.0.1:3000, your
There's a category of bugs that always surprises people when they learn the payout. CRLF injection sounds boring, "oh you injected a newline", until you realize that a newline in an HTTP header means you can write entirely new headers, inject session cookies, force the browser
Deserialization vulnerabilities have been around since 2015 when Chris Frohoff and Gabriel Lawrence dropped their AppSecCali talk "Marshalling Pickles." More than a decade later, the class is still producing critical RCEs, not because nobody knows about it, but because it is genuinely hard to fix without breaking application
Here's something that'll mess with your head a little. When you log into Okta, Azure AD, Salesforce, or literally any enterprise app with SSO, there's a moment where a chunk of XML gets passed from the identity provider back to the application, and that
A lot of people still picture it as a 2019-era party trick: tweak Content-Length, maybe sneak in a weird Transfer-Encoding, and hope a proxy somewhere gets confused. Sometimes it works, often it doesn’t, and the whole thing can feel like chasing ghosts. In 2025 alone, James Kettle's
OAuth 2.0 and OpenID Connect (OIDC) are so common now that they fade into the background. “Sign in with Google,” enterprise SSO, partner integrations, mobile apps requesting API access, underneath, it’s almost always OAuth. That ubiquity has a side effect: OAuth bugs keep appearing in real production systems,
JSON Web Tokens (JWTs) are the de facto authentication primitive across modern web applications, microservices, and APIs. Yet their flexibility, specifically the delegated algorithm selection embedded within each token, has repeatedly proven catastrophic. Six new critical CVEs affecting widely-deployed JWT libraries were disclosed in 2025 alone, with several enabling full
WebAssembly (WASM) has quietly become one of the most security-relevant technologies on the modern web. It powers everything from high-performance design tools and games to crypto wallets, DRM components, and proprietary business logic that companies don’t want to expose as plain JavaScript. From an attacker’s perspective, that last
Modern application security has largely grown up around a familiar set of assumptions: HTTP/1.1 requests, JSON bodies, predictable endpoints, and tooling that can intercept and rewrite traffic without much friction. gRPC breaks many of those assumptions, by design. gRPC is now a default choice for internal microservice communication
Security testing has become heavily automated. Black-box scanners and “one-click” tools do a solid job finding the obvious issues: basic injection points, missing headers, or low-effort misconfigurations. But there is a class of vulnerabilities that consistently slips through those nets, not because the tools are weak, but because the bug
Serverless computing is often sold as a security win by default. No servers to patch, no SSH, no open ports, and no long-lived hosts to compromise. That mindset leads to one of the most common (and most dangerous) misconceptions in modern cloud security: “If there is no server, there is