Security Guides

Security Vulnerability Guides

In-depth guides to understanding and preventing the most common security vulnerabilities. Written for developers, by security engineers.

01

SQL Injection

Exploit database queries by injecting malicious SQL through unsanitized user input.

02

Cross-Site Scripting (XSS)

Inject malicious scripts into web pages viewed by other users through reflected, stored, or DOM-based vectors.

03

Server-Side Request Forgery (SSRF)

Force a server to make requests to unintended locations, accessing internal services or cloud metadata.

04

Insecure Direct Object Reference (IDOR)

Access unauthorized resources by manipulating object identifiers in API requests or URLs.

05

OS Command Injection

Execute arbitrary operating system commands through an application that passes unsafe user input to a shell.

06

NoSQL Injection

Manipulate NoSQL database queries by injecting operators or malicious payloads into MongoDB, Redis, or similar systems.

07

Server-Side Template Injection (SSTI)

Inject template directives into server-side templates to achieve remote code execution.

08

XML External Entity (XXE)

Exploit XML parsers to read local files, perform SSRF, or cause denial of service via entity expansion.

09

Cross-Site Request Forgery (CSRF)

Trick authenticated users into performing unintended actions on a web application they are logged into.

10

Broken Access Control

Bypass authorization checks to access resources, perform actions, or view data without proper permissions.

11

Authentication Failures

Exploit weak authentication mechanisms including credential stuffing, brute force, and session management flaws.

12

Cryptographic Failures

Exploit weak encryption, broken hashing, hardcoded secrets, or missing encryption to expose sensitive data.

13

Insecure Deserialization

Manipulate serialized objects to achieve remote code execution, privilege escalation, or data tampering.

14

Security Misconfiguration

Exploit default credentials, unnecessary features, verbose errors, and missing security headers.

15

Vulnerable & Outdated Components

Target known vulnerabilities in third-party libraries, frameworks, and dependencies used by applications.

16

JWT Vulnerabilities

Exploit weak signing algorithms, missing expiry, none algorithm attacks, and claim tampering in JSON Web Tokens.

17

Mass Assignment

Modify object properties that should not be user-controllable by sending additional fields in API requests.

18

Race Conditions

Exploit timing windows in concurrent operations to bypass limits, duplicate transactions, or corrupt data.

19

Prototype Pollution

Inject properties into JavaScript object prototypes to alter application behavior or achieve code execution.

20

Path Traversal

Access files outside the intended directory by manipulating file paths with ../ sequences or encoding tricks.

21

LDAP Injection

Manipulate LDAP queries to bypass authentication or extract directory information from LDAP servers.

22

CRLF Injection

Inject carriage return and line feed characters to split HTTP responses or manipulate log entries.

23

HTTP Header Injection

Inject malicious headers into HTTP responses to perform cache poisoning, XSS, or session fixation.

24

CORS Misconfiguration

Exploit permissive cross-origin resource sharing policies to steal data from authenticated API endpoints.

25

Open Redirect

Redirect users to malicious websites by manipulating URL parameters trusted by the application.

26

Session Fixation

Force a user to authenticate with a session ID known to the attacker, enabling session hijacking.

27

Session Hijacking

Steal or predict session tokens to impersonate authenticated users without knowing their credentials.

28

Brute Force Attacks

Systematically attempt all possible passwords or tokens to gain unauthorized access to accounts or resources.

29

Missing Rate Limiting

Abuse API endpoints without request throttling to perform credential stuffing, data scraping, or denial of service.

30

Business Logic Flaws

Exploit flawed application logic to manipulate prices, bypass workflows, or abuse intended functionality.

31

GraphQL Injection

Exploit GraphQL APIs through introspection, batching attacks, nested queries, or injection in query variables.

32

Dependency Confusion

Trick package managers into installing malicious packages from public registries instead of private ones.

33

Supply Chain Attacks

Compromise software dependencies, build pipelines, or package registries to inject malicious code at scale.

34

Code Injection

Inject and execute arbitrary code through eval(), dynamic imports, or unsafe code generation mechanisms.

35

XPath Injection

Manipulate XPath queries to bypass authentication or extract data from XML-based data stores.

36

CSV Injection

Inject formulas into CSV exports that execute when opened in spreadsheet applications like Excel.

37

Log Injection

Inject malicious content into log files to forge entries, exploit log viewers, or trigger log-based attacks.

38

DOM-Based XSS

Manipulate the Document Object Model to execute scripts without the payload ever reaching the server.

39

Clickjacking

Overlay transparent frames to trick users into clicking hidden elements, performing unintended actions.

40

Privilege Escalation

Gain higher-level permissions by exploiting flaws in role checks, admin endpoints, or function-level authorization.

41

Sensitive Data Exposure

Access unprotected sensitive data through verbose errors, debug endpoints, source maps, or improper storage.

42

Insufficient Logging & Monitoring

Exploit blind spots in application logging to perform attacks without detection or forensic traceability.

43

OAuth Misconfiguration

Exploit flawed OAuth implementations including redirect URI manipulation, token leakage, and scope abuse.

44

WebView Injection

Inject malicious content into mobile WebView components to steal data or execute code in the app context.

45

Certificate Pinning Bypass

Intercept encrypted mobile traffic by bypassing SSL/TLS certificate validation in mobile applications.

46

Insecure Data Storage

Access sensitive data stored without encryption in SharedPreferences, Keychain, or local databases on mobile devices.

47

Hardcoded Secrets

Extract API keys, passwords, and tokens embedded directly in source code, configuration files, or compiled binaries.

48

Weak Hashing Algorithms

Crack passwords or forge data integrity by exploiting outdated hash functions like MD5 or SHA-1.

49

Missing Encryption at Rest

Access sensitive data stored in plaintext in databases, files, or backups without encryption protection.

50

API Security Best Practices

Prevent common API vulnerabilities including BOLA, excessive data exposure, and broken function-level auth.

Start Practicing Now

Go beyond reading — find and fix real vulnerabilities in interactive code challenges.

Try Free Demo

How to use the SecureCodingHub guides library

A guide is the right format when you want a stable, reference-style explanation of a vulnerability class: what it is, why it exists, the variants you will encounter in the wild, and the controls that meaningfully reduce risk. Reach for a guide when you are onboarding a new engineer, preparing for an internal training session, or trying to answer the question "what does good look like for this class of bug." Reach for a blog post instead when the topic is timely, opinionated, or tied to a specific incident or industry development. And when you have read enough and want to feel the bug under your hands, move to a challenge, where you will read realistic code, identify the vulnerable block, and pick the correct fix.

How the guides are organized

The guides are organized along three overlapping axes so that you can navigate from whichever direction makes sense for your work. The first axis is OWASP and CWE classification: well-known categories such as Injection, Broken Access Control, and Cryptographic Failures map directly to the way most security programs already think about risk. The second axis is attack surface: web applications, APIs, mobile clients, and the software supply chain each surface their own variants of the same underlying weaknesses, and the guides are tagged accordingly. The third axis is language relevance, because a parameterized query in one ecosystem can look very different in another, and the examples inside each guide are written to reflect that.

Who writes and maintains the guides

Every guide is bylined. The authors are practicing security engineers who work on the same kinds of codebases the guides discuss, which is why the examples lean concrete rather than abstract. We treat the library as a living resource: when a new edition of the OWASP Top 10 or an updated CWE entry changes the way a class of bug is named or categorized, the affected guides are refreshed rather than left to drift. Periodic reviews catch outdated framework references and update them in place, and the review date for each guide is visible from within the guide itself.