OWASP Top 10: Common web app security risks

🔄 Pillar 2: Patch Applications Outdated software = open doors for hackers. Quick win: Enable auto-updates for all business-critical apps. #EssentialEight #PatchApplications #BlueshieldTechnologies #MelbourneBusiness #VictoriaIT #SpringvaleBusiness

Essential JWT Security (Part 2): Refresh Tokens and Revocation Made Simple Mastering JWT Security: Refresh Tokens, Revocation, and Real Logout So, before we dive in: here’s Part 1 — Essential JWT Security Best Practices for Developers — check it out if you haven’t already. → https://lnkd.in/gMbMBa5Y ([DEV Community][1]) Alright, so last time we talked about JWTs and how people (me included, years ago) manage to mess them up. LocalStorage? Bad idea. Weak secrets? Been there, done that. But here’s the thing that really kept me up at night: once you hand out a JWT, how the hell do you take it back? They’re “stateless,” which sounds great on paper. Until a user clicks “log out,” closes their laptop, and then you realize… that token is still perfectly valid until it expires. If someone swiped it, they’re chilling in your app like nothing happened. That’s the “can’t take it back” problem. The way the pros handle it is by splitting the job in two. Think of it like theme park tickets: The access token is you https://lnkd.in/ga68bHu9

Ever wondered what’s really hiding behind the login screen of your app? New Feature in PentestScan: Authenticated Scan You can now scan real login zones and APIs – where critical vulnerabilities usually hide. Supported methods: Form login, HTTP Basic, Bearer token. Runs through a secure login flow (CSRF check, redirect handling). No credential storage – sessions are ephemeral, values masked in logs. Findings are clearly marked as “Authenticated” and include a Developer Playbook with concrete remediation steps. Reports (HTML/PDF) highlight that the scan was performed behind login. Perfect for teams that want to see the real security picture of authenticated areas and access controls. Try it at: https://pentestscan.app/ For a demo, send me a message. #AppSec #DevSecOps #WebSecurity #Pentest

𝗝𝗪𝗧 𝘃𝘀 𝗖𝗦𝗥𝗙 𝗧𝗼𝗸𝗲𝗻 — 𝗪𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗗𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝗰𝗲 ? In web security, both JWT (JSON Web Token) and CSRF Tokens help protect users — but they serve very different purposes. JWT (JSON Web Token): Used for authentication. Proves who you are after login. Stored in localStorage, sessionStorage, or cookies. Sent with each request to verify user identity. Example use: API authentication in modern web apps. 𝗖𝗦𝗥𝗙 𝗧𝗼𝗸𝗲𝗻 (𝗖𝗿𝗼𝘀𝘀-𝗦𝗶𝘁𝗲 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝗙𝗼𝗿𝗴𝗲𝗿𝘆 𝗧𝗼𝗸𝗲𝗻): Used for authorization protection. Ensures the request is coming from a trusted source. Typically included in forms or headers. Example use: Preventing malicious sites from submitting forms on your behalf. In short: 🔸 JWT = “Who you are.” 🔸 CSRF Token = “Is this request safe?” Both are essential — JWT secures login sessions, while CSRF Tokens secure user actions within those sessions.

From SQL Injection to XSS, File Inclusion and more, ModSecurity (ModSec) blocks attacks in real-time to keep your web apps safe. Learn how it works and why you need it: https://lnkd.in/eez_Tx3n

🚀 New Course Alert on Pluralsight! https://lnkd.in/eS53KqKq 🔐 Secure Your C# Apps Like a Pro! Struggling with managing API keys, connection strings, or sensitive settings? This course shows you how to keep your secrets safe using modern best practices, built-in .NET tools, and powerful encryption techniques like DPAPI. You’ll learn how to:  ✅ Securely store secrets ✅ Protect your app config ✅ Use encryption the right way ✅ Level up your .NET security game Whether you're building enterprise apps or side projects, this course will help you build securely from day one. If you found the course useful please join me at: https://lnkd.in/eevcRWZ8

CISO: "Our SCA scan reports some critical CVEs in the app, but our last pentest didn’t flag them. We’re good — it must be a false positive." Me: "Not really…" It’s actually quite common for a pentest to miss CVEs related to third-party libraries: - Pentest was done before the cve was published (sounds dumb but it happens) - Some CVEs don’t have a public exploit available. - Even if an exploit exists, the pentester would have to guess which application parameter triggers the vulnerable library. Any thoughts?

I learned about access tokens and refresh tokens. In that, I also learned why they were invented and the problems they solve. There are many security threats, such as: XSS MITM CSRF Cookies help prevent these kinds of issues. The workflow of access tokens and refresh tokens is: User logs in → backend sends short-lived access token (JSON) + long-lived refresh token (HttpOnly cookie) → frontend stores access token in memory and uses it for requests → if access token expires, frontend calls /refresh (cookie sent automatically) → backend verifies refresh token and issues new access token → frontend retries request → logout or token revocation clears the cookie and invalidates the refresh token.

🚨 New CVE in OneLogin (7.7 CVSS): API flaw exposed all OIDC client secrets. Any attacker with valid keys could impersonate apps + move laterally. Patched in 2025.3.0 — details here ↓ https://lnkd.in/gdKNSzfP

CVE-2025-11940 | *Severity:* HIGH (7.3)Bug Bounty Relevance: MEDIUM LibreWolf's Installer component has an uncontrolled search path issue, potentially leading to arbitrary file system access. This may be exploitable locally by an attacker with access to the affected system. Strategy: Test for similar path traversal vulnerabilities in web browsers used on your targets; focus on installers, updates, and extension management components.https://https://lnkd.in/eT33P5b9