Web Pentest · 47 articles

Web Pentest

OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.

Security Guides

XXE: External Entity Injection in 2026 — Where It Still Hides

XXE in 2026 — document upload (DOCX, SVG, RSS), SOAP APIs, SAML, RSS processors. Blind XXE via out-of-band channels, XXE-to-SSRF chains, and…

Apr 25, 2026 · 4 min read
Security Guides

CSRF in 2026: Why SameSite Doesn’t Solve Everything

SameSite=Lax is the default; CSRF should be solved. It is not. SameSite=None for legitimate cross-site, GET-based state changes, subdomain CSRF, CORS misconfigurations,…

Apr 25, 2026 · 2 min read
Cloud Security

AWS EC2 SSRF: How One Curl Command Becomes a Cloud Compromise

One missing input filter on a server-side request lets an attacker reach 169.254.169.254 from your EC2 instance. From that single curl: IAM…

Apr 25, 2026 · 5 min read
Security Guides

SQL Injection in 2026: Why It’s Still in 40% of Indian Web Pentests

SQL injection has been on OWASP Top 10 since 2003. Modern variants — blind, time-based, second-order, NoSQL injection, ORM injection — still…

Apr 25, 2026 · 5 min read
Tools & Tutorials

JWT Attacks in 2026: alg:none, RS256-to-HS256, JWKS Injection — Still Working

JWT done with library defaults from 2017 is a privilege-escalation primitive. Seven attack variants — alg:none, RS256-HS256 confusion, weak HMAC, JWKS injection,…

Apr 25, 2026 · 6 min read
Threat Intelligence

Log4Shell 4 Years Later: Why It’s Still in 15% of Indian Enterprise Audits

Log4Shell (CVE-2021-44228) was disclosed in December 2021. Four years on, 15-20% of Indian enterprise audits still find vulnerable Log4j. The bug, modern…

Apr 25, 2026 · 6 min read
Tools & Tutorials

Burp Suite Professional Workflow: How Senior Pentesters Actually Use It

Most engineers use Burp like a glorified intercepting proxy. Senior pentesters use it as a programmable workbench — macros, session-handling rules, Intruder…

Apr 25, 2026 · 6 min read
1 3 4 5