Browse by Category

+ added · ✎ updated 7d

⚖ Terms of Use

Security terms

45 terms of 1444 total · page 1 of 3

🔒 Defending code from the threats that never sleep

Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared

Level All Beginner Intermediate Advanced

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Client-Side Template Injection (CSTI)

Attacker-controlled input rendered as a template expression by a client-side framework (AngularJS, Vue, Handlebars), executing JavaScript in the victim's browser.

CWE-1336 OWASP A3:2021

1w ago security advanced 7.5

CSS Injection & Data Exfiltration via Stylesheets

Attacker-controlled CSS injected into a page or stylesheet that exfiltrates data via attribute selectors and `url()` callbacks, defaces UI, or enables phishing — all without a single line of JavaScript.

CWE-79 OWASP A3:2021

1w ago security advanced 6.5

Attack where injected HTML elements with controlled `id` or `name` attributes overwrite JavaScript globals or document properties, weaponising script-less HTML injection into code execution.

CWE-79 OWASP A3:2021

1w ago security advanced 6.5

Insecure Deserialization

Deserializing attacker-controlled data can trigger arbitrary object construction and method calls — PHP's unserialize() with untrusted input enables remote code execution via gadget chains in the loaded class graph.

CWE-502 OWASP A8:2021

4w ago security advanced

Side-channel attacks that infer secret values by measuring how long an operation takes — a string comparison that short-circuits on the first mismatch leaks information about the secret one character at a time.

4w ago security advanced

Null Byte in File Paths (Legacy PHP) PHP 3.0+

Null bytes (%00) in file paths truncated strings at the C level in PHP < 5.3.4 — PHP 5.3.4+ throws a warning, PHP 7 throws ValueError for NUL in paths.

2mo ago security advanced

Prompt Injection Attacks (LLM Security)

An attack where malicious instructions embedded in user input or retrieved content override an LLM's system prompt — causing it to ignore its instructions, reveal confidential information, or take unintended actions.

2mo ago security advanced

Double URL Encoding Bypass PHP 4.0+

Filters operating on URL-decoded input miss double-encoded payloads — %2527 decodes to %27 which decodes to ' — always decode completely before filtering.

2mo ago security advanced

preg_replace /e Modifier (Removed) PHP 3.0+

The /e modifier in preg_replace() evaluated the replacement as PHP code — removed in PHP 7.0. Any legacy code using it is a critical RCE vulnerability.

2mo ago security advanced

Stream Filter Injection via php:// wrapper PHP 5.0+

PHP stream wrappers (php://filter, php://input) combined with user-controlled filenames enable LFI-to-RCE escalation — never allow user input in file paths.

2mo ago security advanced

Type Coercion in Authentication Checks PHP 4.0+

PHP's loose comparison (==) coerces types — '0e123' == '0e456' (both 0 in scientific notation), and 0 == 'admin' — always use === for authentication comparisons.

2mo ago security advanced

Variable Variables ($$var) Risks PHP 3.0+

$$var creates a variable whose name is the value of $var — using it with user input allows arbitrary variable access/creation and is effectively a backdoor.

2mo ago security advanced

2FA Bypass Techniques PHP 5.0+

Common ways attackers circumvent two-factor authentication — SIM swapping, real-time phishing proxies, SS7 attacks, backup code theft, and session cookie hijacking after authentication.

2mo ago security advanced

Diagram: API Abuse Prevention

API Abuse Prevention PHP 5.0+

Techniques to detect and block bots, scrapers, credential stuffing, and automated abuse — beyond basic rate limiting to behavioural and intelligence-based controls.

2mo ago security advanced

Business Logic Abuse

Exploiting flaws in application workflows rather than technical vulnerabilities — bypassing payment steps, abusing discount codes, manipulating quantity fields, or racing concurrent requests.

2mo ago security advanced

Cache-Timing Side-Channel Attacks PHP 5.6+

Attacks that infer secret information from response time differences — cached responses arrive faster than uncached ones, leaking whether a resource exists or a secret was correct.

2mo ago security advanced

Cookie Security Attributes PHP 7.3+

Modern cookie prefixes (__Host-, __Secure-) and the Partitioned attribute enforce strict security properties that cannot be overridden by JavaScript or subdomains.

2mo ago security advanced

Dependency Confusion Attack PHP 5.0+

An attacker publishes a public package with the same name as a private internal package — package managers may fetch the malicious public version instead of the private one.

2mo ago security advanced

Deserialization Gadget Chains PHP 5.0+

PHP object injection exploits that chain existing class methods (__wakeup, __destruct, __toString) to achieve remote code execution when unserialize() processes attacker-controlled data.

2mo ago security advanced

GraphQL Security PHP 7.0+

GraphQL's flexibility creates unique security challenges — introspection exposure, unbounded query depth, N+1 amplification, and injection through dynamic resolvers.

2mo ago security advanced

1 2 3 Next →

✓ schema.org compliant