🛡️ Cross-Site Scripting (XSS): The Bug That Hides in Plain Sight
XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.
Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.
XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.
Setting Access-Control-Allow-Origin to * is the fastest way to silence a CORS error during development — and one of the easiest security decisions to forget to undo.
It's the single most common finding in almost every codebase we scan. Not because developers don't know better, but because the environment-variable version is one extra step slower during a demo.
"We hash passwords" isn't actually a complete answer. Which algorithm, how it's salted, and how comparisons happen all matter just as much as the fact that hashing happens at all.