Browse by Category

+ added · ✎ updated 7d

⚖ Terms of Use

Security terms

26 terms of 1444 total · page 1 of 2

🔒 Defending code from the threats that never sleep

Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared

Level All Beginner Intermediate Advanced

✕ Clear A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Server-Side Includes (SSI) Injection

Attacker-controlled SSI directives (``) injected into pages parsed by Apache or another SSI-enabled server, achieving file disclosure or remote command execution.

CWE-97 OWASP A3:2021

1w ago security intermediate 9.8

Software Composition Analysis (SCA)

The practice and tooling for identifying all open-source and third-party components in a codebase, detecting known vulnerabilities (CVEs) in them, and flagging licence risks — distinct from static analysis of your own code.

3w ago security intermediate

Safe Mode Removal & Modern Alternatives PHP 4.0+

PHP's safe_mode was removed in PHP 5.4 — it provided false security. Modern alternatives are open_basedir, OS-level permissions, and containers.

2mo ago security intermediate

Stream Filter Injection via php:// wrapper PHP 5.0+

PHP stream wrappers (php://filter, php://input) combined with user-controlled filenames enable LFI-to-RCE escalation — never allow user input in file paths.

2mo ago security advanced

Secure File Downloads PHP 5.0+

Preventing path traversal, unauthorised access, and content injection when serving file downloads — validating paths, checking authorisation, and setting correct headers.

2mo ago security intermediate

Sensitive Data in Logs PHP 7.0+

Logging passwords, tokens, credit card numbers, or PII — log aggregators store data indefinitely and are often less secured than primary databases.

2mo ago security intermediate

Salted Hashing PHP 5.5+

Prepending or appending a unique random value (salt) to each password before hashing, neutralising precomputed rainbow table attacks.

CWE-759 OWASP A2:2021

2mo ago security beginner

SameSite Cookie Attribute PHP 7.3+

A cookie attribute controlling whether the browser sends a cookie with cross-site requests, providing strong CSRF mitigation.

CWE-352 OWASP A1:2021

2mo ago security intermediate

SameSite Lax Bypass PHP 7.3+

SameSite=Lax still sends cookies on top-level GET navigations — attackers can exploit this with GET-based state-changing endpoints.

CWE-352 OWASP A1:2021

2mo ago security advanced 6.5

SAST vs DAST vs IAST PHP 5.0+

Three automated security testing approaches: SAST analyses source code without running it, DAST attacks a running app from outside, IAST instruments the app from within during testing.

2mo ago security intermediate

Second-Order SQL Injection PHP 5.0+

Malicious data is safely stored in the database but later retrieved and used unsafely in a subsequent SQL query.

CWE-89 OWASP A3:2021

2mo ago security advanced 8.8

Secrets Management

Storing, distributing, and rotating credentials securely — using dedicated tools rather than .env files in version control or hardcoded values in source code.

2mo ago security intermediate

Security by Design PHP 5.0+

Integrating security requirements into software architecture and design from the very beginning, rather than bolting it on afterwards.

2mo ago security intermediate

Security Misconfiguration PHP 5.0+

Insecure default settings, unnecessary features, or missing hardening steps leave applications and infrastructure exposed.

CWE-16 OWASP A5:2021

2mo ago security beginner 7.5

Sensitive Data Exposure PHP 5.0+

Passwords, tokens, PII, or financial data exposed in logs, error messages, URLs, or unencrypted storage.

CWE-200 OWASP A2:2021

2mo ago security beginner

Diagram: Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) PHP 5.0+

The server is tricked into making HTTP requests to internal or unintended destinations on behalf of the attacker.

CWE-918 OWASP A10:2021

2mo ago security advanced 8.6

Server-Side Template Injection (SSTI) PHP 5.0+

User input is embedded directly into a server-side template, allowing arbitrary code execution on the server.

CWE-1336 OWASP A3:2021

2mo ago security advanced 9.8

Session Riding PHP 5.0+

An alternative term for CSRF — the attacker 'rides' the victim's authenticated session to perform actions on their behalf.

CWE-352 OWASP A1:2021

2mo ago security intermediate 8.1

Shift-Left Security (DevSecOps) PHP 5.0+

Integrating security practices earlier in the development lifecycle — at design and coding time — rather than as a final gate before release.

2mo ago security beginner

Side-Channel Attack

Information is leaked through observable characteristics of a system — timing, power consumption, or cache behaviour — rather than via direct data access.

CWE-208 OWASP A2:2021

2mo ago security advanced 5.9

1 2 Next →

✓ schema.org compliant