Security Knowledge Base

Authentication bypass is a category of bug where the attacker reaches a protected resource without the credentials that should have been required. The most embarrassing CVEs of the last decade live here.

XSS lets an attacker run their own JavaScript in another visitor's browser session on your site. From there: account takeover, stolen passwords, fake login screens.

Bugs and protocol weaknesses that let an attacker make your service unavailable, ranging from volumetric DDoS to single-packet protocol flaws and quadratic-time regex traps. What attackers gain from taking you offline, and what realistically protects you.

Every security finding in your scan report comes with a severity score and sometimes a "known-exploited" flag. Here is how to read those scores and decide what to fix first when several show up at once.

When an application reads structured data sent over the network and the attacker can shape that data, "reading" can quietly turn into "running attacker-supplied code". The bug class behind dozens of headline RCEs.

Path traversal lets an attacker read or write files outside the directory your application meant to expose. Often the second step on the way to a full server takeover.

A JavaScript-specific bug class where attacker-controlled input rewrites properties on the global Object prototype, infecting every object the application creates. The path from a single bad merge to authentication bypass and remote code execution.

RCE is the worst-case outcome of a software bug. An attacker on the internet can run their own commands on your server. What enables it, what attackers actually do once inside, and why patches really cannot wait.

SSRF lets an attacker make web requests from your server to anywhere the server can reach — including internal admin panels and the cloud metadata service. The Capital One breach in one short article.

SQL injection lets an attacker rewrite the questions your application asks its database. Done well, it gives them every record in every table — and sometimes the operating system underneath.

A database CVE matters not because of the service itself but because of what runs in the database. The "exposed to the internet" question is more important than the CVE list.

FTP is an old protocol with old problems: cleartext credentials, anonymous access enabled by default in legacy installs, and a long CVE history. The better question is whether you should be running FTP at all.

Mail servers process attacker-supplied data on every connection. Bugs in them often turn into pre-authentication code execution or full mailbox disclosure. The category that gave us the Exim 2019 wave.

OpenSSH is the front door to most servers on the internet. The really serious bugs are rare; on the other hand, version-only matching produces a lot of noise. How to read SSH findings sensibly.

A vulnerability in your web server is more serious than the same kind of bug elsewhere — it sits at the front door, sees every request, and a successful attack usually means the attacker can run code. Why patches matter, and what to do if they have to wait.

Your site has HTTPS, but visitors who type the address without "https://" still land on the unsecured version. The fix is a one-line redirect, and it closes a real and frequently-exploited gap.

Your site is reachable only over plain HTTP. Every visitor's connection — login forms, form submissions, page contents — crosses the network in clear text where it can be read or altered.

A Content Security Policy is a list of trusted sources for the scripts, styles, and embeds your website loads. Without one, a single bug in your application can let an attacker run their code on every visitor's browser.

HSTS tells browsers "always use HTTPS for this domain, never plain HTTP". Without it, the very first connection a visitor makes is unprotected and an attacker can keep them on the unsecured version indefinitely.

Without a Referrer-Policy, your visitor's browser may quietly leak the full URL of every page on your site to every third party you link to or load resources from. The fix is one line.

Without an embedding policy, an attacker can load your site inside their own webpage and trick visitors into clicking buttons they didn't mean to click. The classic clickjacking setup.

Without this small instruction, browsers can occasionally guess that a file you served — say, an uploaded image — is actually a script and execute it. The fix is one line.

BIMI puts your verified company logo next to your name in the inbox at Gmail, Apple Mail and others. It's a brand-protection feature that only works once your other email-protection records are in place.

A CAA record is a public list of which certificate authorities are allowed to issue HTTPS certificates for your domain. Without it, any of the world's public certificate authorities could issue one in your name.

DKIM is the digital signature your mail provider attaches to outgoing email so receivers can confirm nothing was tampered with along the way. Without it, the rest of your email-protection setup is missing a layer.

A DMARC record exists, but the policy is set to p=none. Receivers report on failures but take no action, so spoofed messages still pass through. Here is how to escalate safely to quarantine and reject.

DMARC is the rule book that tells receiving mail servers what to do when an email pretending to come from your domain fails its checks. Without it, even a perfect SPF setup leaks past many providers.

DNSSEC adds a tamper-proof seal to the lookup that translates your domain name into a server address. Without it, an attacker on the network can quietly redirect your visitors and your email.

MTA-STS forces the encryption of email coming in to your domain. Without it, an attacker on the network can quietly downgrade incoming mail to unencrypted and read it.

Without an SPF record, anyone on the internet can send email that pretends to come from your domain. Why it matters and how to fix it.

Email addresses and passwords from your domain have appeared in third-party data breaches. Here is where this data comes from, how attackers turn it into account takeover, and what to do about it.

A cookie-banner platform is in place on your site. The blueredix scanner doesn't click "Accept" or "Decline" for you, so verifying it actually blocks trackers before consent is something to do yourself.

Loading Google Fonts directly from Google sends your visitors' IP addresses to Google before any consent. The Munich I court ordered €100 in damages for a single request. Self-host the fonts instead.

A live Google Maps iframe sends visitor IPs to Google before consent. Use a click-to-load placeholder or the Maps Static API for simple location displays.

German law requires a clearly labelled legal-notice page reachable from every page within two clicks. Missing or hidden Impressum pages are a classic warning-letter target.

Your site loads tracking cookies and third-party marketing scripts on the very first visit, and we couldn't find any consent banner. Under GDPR and the German TDDDG that's the textbook violation.

GDPR Articles 13 and 14 require every website to publish a privacy policy describing what data is collected and why. Missing policies are an easy finding for both regulators and competitors.

A third-party tracking script downloads and runs on the very first page load, before the visitor has given consent. Under GDPR and TDDDG that is unlawful processing, even if the script "doesn't do anything yet".

A tracking cookie was written to the visitor's browser on first page load, before any consent. Same legal failure as a tracker script, and just as easy to fix.