Author: VSec
-
HTTP Request Smuggling Explained with CVE-2026-2833
Modern web applications rarely receive requests directly. Before a request reaches the application, it may pass through a CDN, WAF, reverse proxy, load balancer, cache layer, API gateway, service mesh, and finally the backend server. Basically, a small committee of components gets together to decide what the user actually sent. What could possibly go wrong?…
-
SaaS Security: The Apps Companies Forget Still Hold Data
Every company has an official list of tools. Then there is the real list: free trials, browser extensions, plugins, old workspaces, vendor portals, abandoned dashboards and integrations created for a “quick report.” Nothing says “mature security program” like discovering sensitive data is protected by a shared link and organizational memory. The problem is not that…
-
NoSQL Injection in the Real World: Breaking Mongoose with CVE-2025-23061
NoSQL has spent years enjoying a strangely comfortable reputation, almost as if removing the word SQL also removed the chance of turning user input into a security problem. Sadly, attackers never signed that agreement. This article explores NoSQL Injection through a controlled lab based on CVE-2025-23061, a critical Mongoose flaw tied to “populate().match”. The vulnerable…
-
Burp Suite Guide: The Heimdall of the Web
Burp Suite is the standard toolkit for intercepting, inspecting, and modifying HTTP traffic between a client (browser or mobile app) and a web server. If you can see the request and the response, you can test what matters: authentication, authorization, input handling, session behavior, and the real security posture of the application. This tutorial focuses…
-
How AI Is Actually Helping Pentesters Today
If the internet is to be believed, AI is either replacing every pentester next week or doing nothing beyond rewriting payloads with extra confidence. As usual, both takes are a little dramatic and a lot less useful than reality. This article is not about attacking AI systems themselves. That angle was already covered in The…
-
The n8n Nightmare: Exploiting CVE-2026-21858
Automation is supposed to save time, reduce mistakes, and make teams look far more organized than they really are. Then a critical vulnerability shows up and reminds everyone that giving one platform access to files, workflows, secrets, and integrations was definitely a bold lifestyle choice. That is exactly why CVE-2026-21858 got so much attention. It…
-
Using Shodan – Attack Surface Discovery & Monitoring
Shodan is a search engine for internet-exposed systems. Instead of indexing web pages, it indexes services (SSH, HTTP, databases, VPNs, remote admin panels, etc.) and their banners/metadata, which makes it extremely useful for attack surface discovery and continuous exposure monitoring. This tutorial focuses on authorized, defensive use: mapping what your company exposes to the internet,…
-
Container Security Isn’t Just Image Scanning
Containers made software delivery faster, cleaner, and much easier to scale. Teams package an app, ship it, and move on. Security shows up, adds image scanning to the pipeline, and suddenly everyone sleeps better. Fair enough. Green checks are comforting. Sadly, attackers do not care how pretty your dashboard looks. Why Image Analysis Matters Image…
-
IAM Isn’t Just SSO: The Team, the Process, and the Tools
Identity and Access Management (IAM) is one of those topics that feels painfully boring, right up until someone gets access they shouldn’t, and suddenly it’s everybody’s “top priority.” At its core, IAM is simply how a company manages identities and controls who can access what, when, and under which conditions. In this article on VSec,…
-
SQLMap: Automating SQL Injection
sqlmap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection (SQLi) vulnerabilities in web applications and databases. This tutorial focuses on responsible, low-impact validation: confirm whether a parameter is injectable, identify the back-end DBMS and technique used, and collect just enough evidence to help engineering fix the issue—without turning…