Application security

How web apps become exposed

This topic collects practical notes on how modern web applications become exposed: weak flows, missing access checks, unsafe input handling, session mistakes, and trust boundaries that are assumed instead of enforced.

What this page is for

A clear, plain-language map of where web application risk tends to appear and how to think about fixing it.

Topic

A practical look at the flows, inputs, and trust boundaries that carry real risk in web applications, with notes on how issues show up and how to reason about fixes.

What this topic covers

  • The flows that carry real risk: login, account actions, payments, anything sensitive
  • Authentication and session handling, and the assumptions behind them
  • Access control gaps: privilege escalation and broken object-level access
  • Input handling: injection, unsafe parsing, and weak validation
  • Configuration and trust-boundary issues that quietly widen your attack surface

Useful for

  • Developers building products with accounts, permissions, or sensitive data
  • Learners trying to understand where web security issues come from
  • Small teams who want a clearer view of application risk
  • Anyone who wants an honest second pair of eyes on their security thinking

How I explore it

1

Understand how the system is meant to work

Start with the intended behavior: where sensitive actions happen, what data matters, and where the application assumes trust.

2

Look at where risk actually collects

Focus on the flows, inputs, and edge cases that tend to hide real issues, not just what a checklist would flag.

3

Write it so it can be understood

Good security notes explain impact and fixes in plain language. No vague risk scores; just what is wrong, why it matters, and what would improve it.

What I document

  • Short notes on common web application failure modes
  • Plain-language explanations without jargon nobody reads
  • Practical fix patterns and tradeoffs
  • Examples from labs, reviews, and controlled test setups

Attack surface notes

Have a web security question?

If this topic connects to something you are building or learning, you can ask a concrete question and I will take a look when I can.

Related topics