Research

Deep dives, investigations, and research notes from the JustAppSec team.

Authentication

A threat-focused guide to authentication, covering attack paths, design pitfalls, and concrete defenses from password storage to MFA, sessions, and recovery.

AuthenticationIdentity

Business Logic Abuse

Covers how attackers exploit intended workflows and business rules to gain unfair advantage or bypass controls. Includes threat modeling ideas, common abuse patterns, and defensive validation strategies.

Business LogicFraud

Command Injection

Explains how untrusted input reaches OS command execution paths and enables remote command execution. Covers common vectors, impact, and safe invocation patterns.

Command InjectionRCE

Cross-Origin Resource Sharing (CORS)

Describes how CORS works and how misconfigurations expose cross origin data to attackers. Provides threat models and practical policy hardening guidance.

CORSWeb SecurityAppSec

Cross-Site Request Forgery (CSRF)

Explains how CSRF abuses a victim's authenticated browser to perform unintended actions. Covers common delivery methods and layered defenses like tokens, SameSite, and origin checks.

CSRFSession Security

Cross-Site Scripting (XSS)

Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention guidance including contextual encoding, safe APIs, and CSP.

XSSInjection

File Upload Security

Details how unsafe uploads lead to malware, code execution, and data exposure across systems. Provides validation, storage isolation, scanning, and hardening controls.

File UploadMalware

Insecure Direct Object References (IDOR)

Explains object level authorization failures that let users access or modify other users' data. Covers attack patterns and robust authorization checks.

IDORAccess Control

JSON Web Tokens (JWT)

Explains JWT structure, threat models, and common validation pitfalls. Includes secure usage practices for signing, claims validation, and token storage.

JWTAuthentication

Mass Assignment

Describes how automatic model binding can let attackers set sensitive fields. Provides safe binding patterns, DTO usage, and allowlist controls.

Mass AssignmentAPI SecurityAppSec

Password Storage

Explains why passwords must be hashed with salts and slow KDFs to resist offline cracking. Covers algorithm choices, peppers, and operational best practices.

PasswordsCryptography

Path Traversal

Explains how directory traversal lets attackers read or write files outside intended scopes. Covers normalization, allowlisting, and filesystem hardening.

Path TraversalFile System

Prompt Injection

Covers how adversarial prompts can subvert LLM behavior or trigger unintended actions. Provides defense in depth guidance for prompt design, input handling, and output validation.

Prompt InjectionLLM Security

Prototype Pollution

Explains how unsafe object merging can taint prototypes and alter application logic. Covers common vectors and mitigations like key filtering and safe object creation.

Prototype PollutionJavaScript

Row-Level Security Patterns for Postgres

Explains how PostgreSQL RLS enforces tenant and user isolation at the data layer. Covers policy design, session context patterns, and common pitfalls.

PostgresRLSAccess Control

Secure Software Development Lifecycle

Outlines how to embed security into planning, design, implementation, and deployment. Covers threat modeling, risk assessment, and secure-by-design practices.

SSDLCSecure Design

Server-Side Request Forgery (SSRF)

Explains how untrusted URLs can make servers reach internal or cloud metadata endpoints. Covers validation, allowlisting, and network egress controls.

SSRFNetwork Security

Session Management

Explains session token lifecycle risks such as hijacking and fixation. Covers secure cookie settings, rotation, and timeout strategies.

SessionsAuthentication

SQL Injection

Covers how unsafe query construction enables data theft and database compromise. Provides parameterization and least privilege guidance.

SQL InjectionDatabase Security

Template Injection

Explains how untrusted input can be executed by template engines on server or client. Covers safe templating patterns, sandboxing, and encoding.

Template InjectionRCE

Threat Modeling

Describes structured methods to identify threats early using models like STRIDE and attack trees. Covers risk rating and mitigation planning.

Threat ModelingSecure Design

Loading research…

This content is authored with assistance from OpenAI's advanced reasoning models (classified as AI-assisted content). Material is reviewed, validated, and refined by our team, but some issues may be missed and best practices evolve rapidly. Please use your best judgment when reviewing this material. We welcome corrections and improvements.

Send corrections to [email protected].

We cite sources directly where possible. Some elements may be derived from content linked to the OWASP Foundation, so this work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this material for any purpose, even commercially, under the terms of the license. When doing so, please reference the OWASP Foundation where relevant. JustAppSec Limited is not associated with the OWASP Foundation in any way.