guides
Security guides, checklists, and standards - explained.
Practical, accurate how-tos for testing and securing web apps and APIs, plus the OWASP standards explained - all cross-linked to the vulnerabilities and concepts they cover.
Testing how-tos
How to Test for IDOR (Broken Object Level Authorization)
A step-by-step method for finding Insecure Direct Object Reference (IDOR / BOLA) flaws in web apps and APIs using two accounts.
How to Prevent SSRF (Server-Side Request Forgery)
Concrete controls to prevent Server-Side Request Forgery, including DNS-rebinding-safe validation and cloud metadata hardening.
JWT Security Best Practices
How to validate and configure JSON Web Tokens correctly to prevent forgery, algorithm confusion, and token abuse.
Checklists
Standards explained
OWASP Top 10 (2021) Explained
A concise explanation of each OWASP Top 10 (2021) category, with links to the underlying vulnerabilities.
OWASP API Security Top 10 (2023) Explained
Each OWASP API Security Top 10 (2023) risk explained, with a focus on the authorization flaws that dominate API breaches.
Continuous Penetration Testing: A Practical Guide
What continuous penetration testing is, why point-in-time testing falls short, and how to adopt it.