Research

Deep dives, investigations, and research notes from the JustAppSec team.

Authentication

A threat-focused guide to authentication, covering attack paths, design pitfalls, and concrete defenses from password storage to MFA, sessions, and recovery.

AuthenticationIdentity

Business Logic Abuse

Covers how attackers exploit intended workflows and business rules to gain unfair advantage or bypass controls. Includes threat modeling ideas, common abuse patterns, and defensive validation strategies.

Business LogicFraud

Command Injection

Explains how untrusted input reaches OS command execution paths and enables remote command execution. Covers common vectors, impact, and safe invocation patterns.

Command InjectionRCE

Cross-Origin Resource Sharing (CORS)

Describes how CORS works and how misconfigurations expose cross origin data to attackers. Provides threat models and practical policy hardening guidance.

CORSWeb SecurityAppSec

Cross-Site Request Forgery (CSRF)

Explains how CSRF abuses a victim's authenticated browser to perform unintended actions. Covers common delivery methods and layered defenses like tokens, SameSite, and origin checks.

CSRFSession Security

Cross-Site Scripting (XSS)

Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention guidance including contextual encoding, safe APIs, and CSP.

XSSInjection

File Upload Security

Details how unsafe uploads lead to malware, code execution, and data exposure across systems. Provides validation, storage isolation, scanning, and hardening controls.

File UploadMalware

Insecure Direct Object References (IDOR)

Explains object level authorization failures that let users access or modify other users' data. Covers attack patterns and robust authorization checks.

IDORAccess Control

JSON Web Tokens (JWT)

Explains JWT structure, threat models, and common validation pitfalls. Includes secure usage practices for signing, claims validation, and token storage.

JWTAuthentication

Mass Assignment

Describes how automatic model binding can let attackers set sensitive fields. Provides safe binding patterns, DTO usage, and allowlist controls.

Mass AssignmentAPI SecurityAppSec

Password Storage

Explains why passwords must be hashed with salts and slow KDFs to resist offline cracking. Covers algorithm choices, peppers, and operational best practices.

PasswordsCryptography

Path Traversal

Explains how directory traversal lets attackers read or write files outside intended scopes. Covers normalization, allowlisting, and filesystem hardening.

Path TraversalFile System

Prompt Injection

Covers how adversarial prompts can subvert LLM behavior or trigger unintended actions. Provides defense in depth guidance for prompt design, input handling, and output validation.

Prompt InjectionLLM SecurityAI Security

Prototype Pollution

Explains how unsafe object merging can taint prototypes and alter application logic. Covers common vectors and mitigations like key filtering and safe object creation.

Prototype PollutionJavaScript

Row-Level Security Patterns for Postgres

Explains how PostgreSQL RLS enforces tenant and user isolation at the data layer. Covers policy design, session context patterns, and common pitfalls.

PostgresRLSAccess Control

Secure Software Development Lifecycle

Outlines how to embed security into planning, design, implementation, and deployment. Covers threat modeling, risk assessment, and secure-by-design practices.

SSDLCSecure Design

Server-Side Request Forgery (SSRF)

Explains how untrusted URLs can make servers reach internal or cloud metadata endpoints. Covers validation, allowlisting, and network egress controls.

SSRFNetwork Security

Session Management

Explains session token lifecycle risks such as hijacking and fixation. Covers secure cookie settings, rotation, and timeout strategies.

SessionsAuthentication

SQL Injection

Covers how unsafe query construction enables data theft and database compromise. Provides parameterization and least privilege guidance.

SQL InjectionDatabase Security

Template Injection

Explains how untrusted input can be executed by template engines on server or client. Covers safe templating patterns, sandboxing, and encoding.

Template InjectionRCE

Threat Modeling

Describes structured methods to identify threats early using models like STRIDE and attack trees. Covers risk rating and mitigation planning.

Threat ModelingSecure Design

Loading research…

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.