Application security
How web apps become exposed
This topic collects practical notes on how modern web applications become exposed: weak flows, missing access checks, unsafe input handling, session mistakes, and trust boundaries that are assumed instead of enforced.
What this page is for
A clear, plain-language map of where web application risk tends to appear and how to think about fixing it.
Topic
A practical look at the flows, inputs, and trust boundaries that carry real risk in web applications, with notes on how issues show up and how to reason about fixes.
What this topic covers
- The flows that carry real risk: login, account actions, payments, anything sensitive
- Authentication and session handling, and the assumptions behind them
- Access control gaps: privilege escalation and broken object-level access
- Input handling: injection, unsafe parsing, and weak validation
- Configuration and trust-boundary issues that quietly widen your attack surface
Useful for
- Developers building products with accounts, permissions, or sensitive data
- Learners trying to understand where web security issues come from
- Small teams who want a clearer view of application risk
- Anyone who wants an honest second pair of eyes on their security thinking
How I explore it
Understand how the system is meant to work
Start with the intended behavior: where sensitive actions happen, what data matters, and where the application assumes trust.
Look at where risk actually collects
Focus on the flows, inputs, and edge cases that tend to hide real issues, not just what a checklist would flag.
Write it so it can be understood
Good security notes explain impact and fixes in plain language. No vague risk scores; just what is wrong, why it matters, and what would improve it.
What I document
- Short notes on common web application failure modes
- Plain-language explanations without jargon nobody reads
- Practical fix patterns and tradeoffs
- Examples from labs, reviews, and controlled test setups
Attack surface notes
Have a web security question?
If this topic connects to something you are building or learning, you can ask a concrete question and I will take a look when I can.
Related topics
Topic
Secure Development
Practical notes on building web applications with fewer security surprises: how to think about auth, input handling, data exposure, dependencies, and tradeoffs while you build.
Topic
Pentest Preparation
Plain-language notes on what a penetration test is, how scope works, what a useful report should contain, and which questions are worth asking before you choose a testing provider.