Web Pentest · 47 articles

Web Pentest

OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.

Academy

Module 7 · SAST, DAST, and Security in the CI/CD Pipeline

Why this module exists. SAST that produces 1000 false positives per scan trains developers to ignore findings. SAST tuned and triaged surfaces…

May 14, 2026 · 3 min read
Academy

Module 6 · Dependency Security and SBOM Management

Why this module exists. Your application’s CVE exposure is mostly in its dependencies, not its own code. Managing that exposure requires inventory,…

May 14, 2026 · 3 min read
Academy

Module 5 · Application-Level Cryptography — Avoiding the Common Mistakes

Why this module exists. Cryptographic primitives have safe defaults that produce safe outcomes if used correctly. Developers who deviate — even with…

May 14, 2026 · 3 min read
Academy

Module 4 · Authentication and Session Management — Modern Patterns

Why this module exists. Modern authentication is not “username + password + check the DB.” It is a stack of OAuth flows,…

May 14, 2026 · 3 min read
Academy

Module 3 · Input Validation and Output Encoding — Universal Defences

Why this module exists. The single highest-leverage developer education is the principle “structure separates code from data.” Input validation and output encoding…

May 14, 2026 · 5 min read
Academy

Secure Code Review at Scale

Per-PR vs feature-level vs deep-dive code reviews, OWASP Top 10 hunt patterns, Semgrep custom-rule programme, what humans find that tools miss, rollout…

Apr 26, 2026 · 5 min read
Academy

Secure Coding Across Languages

Language-specific secure-coding patterns — Python, Node/TS, Java, Go, Rust, PHP. Common pitfalls, safe alternatives, crypto patterns, dependency scanning.

Apr 26, 2026 · 6 min read
Academy

Application Security Programme and WAF Tuning

Building an AppSec programme that scales — maturity ladder, security champions, CI/CD security pipeline, tooling baseline, metrics, bug bounty, threat modelling integration.

Apr 26, 2026 · 5 min read
Tools & Tutorials

DOM-Based XSS in 2026: Modern Frameworks and Trusted Types

DOM-XSS in modern frameworks — vulnerable sinks (innerHTML, dangerouslySetInnerHTML, v-html, [innerHTML]). Source-to-sink analysis with Semgrep + Burp DOM Invader. The Trusted Types…

Apr 25, 2026 · 2 min read
Tools & Tutorials

CORS Misconfigurations: Deep-Dive on the Common Bypasses

CORS misconfiguration patterns — reflective Origin with Allow-Credentials, null Origin trust, permissive subdomain wildcards, regex bypasses. Test commands, the safe pattern, Express.js…

Apr 25, 2026 · 2 min read