Category
Security & WAF
Every tool and article in this category, gathered in one place.
Tools
CVSS vector decoder
Paste a CVSS v3.1 or v3.0 vector and get the score computed and mapped to a severity, with every metric spelled out. Local and offline; nothing is sent anywhere.
SAML Decoder
Paste a SAML Response or assertion (raw, base64, or URL-encoded) and decode its issuer, status, subject, conditions, audience, and attributes, with signature and weak-algorithm checks. Hardened against XXE.
Secure Headers Analyzer
Paste an HTTP response and get a graded breakdown of its security headers, cookie flags, and cross-origin policy, checked against OWASP, RFC 6797, CSP Level 3, and RFC 6265bis.
SSRF URL classifier
Paste a URL and see where it actually points: loopback, a private or link-local range, a cloud metadata endpoint, CGNAT, reserved space, or the public internet. Decimal, octal, and hex IP obfuscation is decoded, dangerous schemes and embedded credentials are flagged, and an SSRF risk level is shown. It never resolves DNS and never sends the request.
XML Decoder
Paste XML and read its structure: the declaration, the DOCTYPE and any entities, the element tree with namespaces and attributes, plus a security check of the XML attack surface. Nothing is fetched or resolved.
Articles
HTTP Security Headers: The Defense-in-Depth Layer
What HTTP security headers are, why they form a layer of defense on top of secure code rather than a replacement for it, the headers that carry the most weight, and how to read a response's posture at a glance.
ReadRegex Quantifiers and Character Classes
A regular expression is built from two questions: what character do I want, and how many of them? Character classes answer the first, quantifiers answer the second. Get these two right and most of regex falls into place.
ReadSAML 2.0: How Browser SSO Works
What a SAML assertion is, the roles of the identity provider and service provider, the SP-initiated Web Browser SSO flow end to end, and the difference between the HTTP-POST and HTTP-Redirect bindings that carry the messages.
ReadContent Security Policy, Directive by Directive
How CSP works as a control against cross-site scripting and injection: the shape of a policy, why default-src matters, what 'unsafe-inline' and 'unsafe-eval' give away, how nonces and hashes allow specific inline code safely, and what report-only mode is for.
ReadInside a SAML Assertion: Subject, Conditions, and Audience
The anatomy of a SAML assertion: the Subject and NameID formats, bearer SubjectConfirmation and the NotOnOrAfter / Recipient / InResponseTo checks, the Conditions validity window, the AudienceRestriction, and the AuthnStatement, with the validation a service provider must perform on each.
ReadRegex Groups, Backreferences, and Lookarounds
Parentheses do far more than set precedence in a regex. They capture text for you to reuse, name the pieces you care about, and — with a question mark prefix — let you assert what comes before or after without consuming it.
ReadCatastrophic Backtracking and ReDoS
Some innocent-looking patterns can take seconds, minutes, or effectively forever on a short string. The cause is catastrophic backtracking, and when an attacker controls the input it becomes a denial-of-service bug. Here is why it happens and how to write patterns that cannot.
ReadHSTS and HTTPS Enforcement
How Strict-Transport-Security closes the HTTP downgrade window, what max-age, includeSubDomains, and preload each do, the trust-on-first-use gap that preloading removes, and the configuration mistakes that quietly disable it.
ReadSAML Signatures and XML-DSig
How a SAML message is signed with XML Signature: the enveloped ds:Signature, the SignatureMethod and DigestMethod algorithms, why SHA-1 is weak, the difference between signing the Response and signing the Assertion, and how XML signature wrapping attacks work.
ReadCookie Security Flags
How Secure, HttpOnly, and SameSite protect session cookies, what each SameSite value means, why SameSite=None requires Secure, and how the __Host- and __Secure- prefixes enforce those guarantees at the browser level.
ReadRegex Anchors and Boundaries
Anchors match a position, not a character: the start or end of the string, or the edge of a word. They are the difference between a pattern that matches anywhere and one that matches only where you mean. This covers ^, $, \b, and their multiline behavior, plus the mistakes they cause.
ReadXXE and Why a SAML Parser Rejects DOCTYPE
How XML External Entity (XXE) attacks work, the billion-laughs denial-of-service, why both depend on a DTD, and why a hardened SAML decoder rejects any DOCTYPE or entity declaration outright rather than trying to parse it safely.
ReadClickjacking and Frame Control
What clickjacking is, how framing makes it possible, the difference between the legacy X-Frame-Options header and the modern CSP frame-ancestors directive, why ALLOW-FROM is obsolete, and how the two controls interact.
ReadRegex Flags and Modes
A flag changes how the whole pattern matches: case sensitivity, whether ^ and $ see lines, whether the dot crosses newlines, and whether whitespace in the pattern is ignored. The same regex can match completely different things depending on its flags, so knowing them prevents a lot of confusion.
ReadSAML Bindings and SP vs IdP Initiation
A SAML flow can start at the service or at the identity provider, and the messages can travel by two different bindings: an HTTP redirect with the message packed into the URL, or an auto-submitting HTML form that POSTs it. Which binding carries which message, and where the flow begins, explains a lot of SSO behavior.
ReadXXE and External Entities
XML lets a document declare entities, and an external entity can point at a file or URL. A parser that resolves one can be tricked into reading local files or making server-side requests, the XXE vulnerability. The fix is blunt and effective: do not process a DOCTYPE at all.
ReadBillion Laughs and Entity Expansion
Entities can reference other entities, and if each one multiplies the last, a tiny document can expand to gigabytes and exhaust memory. The billion laughs attack weaponizes this into a denial of service. The defense is to cap expansion or refuse the DOCTYPE outright.
ReadHow CVSS Scoring Works
CVSS turns a short vector string into a 0 to 10 severity number using a fixed formula. The Base score is built from two sub-scores: Exploitability (how reachable and easy the flaw is) and Impact (how bad the outcome is). Everything else refines that base. This is arithmetic, not opinion, which is why a calculator can reproduce any published score exactly.
ReadThe CVSS Base Metrics, Explained
The Base score comes from eight metrics in two families. Four exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) describe how hard the attack is, and four impact metrics (Scope, plus Confidentiality, Integrity, Availability) describe the damage. Scope is the subtle one: it is what lets a score exceed the vulnerable component's own boundary.
ReadCVSS Temporal and Environmental Scores
The Base score is only the starting point. Temporal metrics lower it as facts emerge, such as a patch being released, and can only reduce the score. Environmental metrics let an organization re-score the flaw for its own systems by raising or lowering the importance of confidentiality, integrity, and availability and by overriding base metrics. Both are optional but produce a more honest number.
ReadReading a CVSS Vector String
A CVSS vector is a compact, self-describing string: a version prefix followed by slash-separated metric:value pairs. Learning to read it directly, rather than trusting a rendered score, lets you spot transcription errors and understand exactly what a vendor claimed. The Base metrics are mandatory and the rest are optional.
ReadCVSS Severity Bands, and What the Score Does Not Tell You
The 0 to 10 number maps to five qualitative bands from None to Critical. That mapping is useful for triage, but a CVSS Base score measures severity, not risk. It says nothing about whether a flaw is being exploited, how valuable the asset is, or what controls you have. Treating the base number as a priority queue is the most common way teams misuse CVSS.
ReadCVSS v3.0, v3.1, and v4.0: What Changed
This decoder computes CVSS v3.0 and v3.1. The two v3 releases share a formula but differ in rounding and one environmental term, so scores can differ by a tenth. CVSS v4.0, released in 2023, is a larger redesign with new metric groups and no Scope metric, and its vectors are not compatible with v3 tooling. CVSS v2 is retired.
ReadWhat Is Server-Side Request Forgery (SSRF)
SSRF is a vulnerability where an attacker makes a server issue an HTTP request to a destination of the attacker's choosing. Because the request originates inside the server's network, it can reach internal services, cloud metadata, and loopback addresses that the attacker could never reach directly. The fix is to validate the destination, not the URL string.
ReadPrivate, Reserved, and Public IP Ranges
An SSRF filter has to know which addresses are internal. This is the map: RFC 1918 private space, loopback, link-local, carrier-grade NAT, the documentation ranges, and everything else that is public and routable. Knowing the ranges is what turns a raw address into a safe-or-not decision.
ReadIP Address Obfuscation Tricks
One IP address can be written in many forms: plain decimal, octal, hexadecimal, short-hand, and IPv4-mapped IPv6. Each form parses back to the same address, which is how attackers slip an internal target past a filter that only blocks the dotted-decimal spelling. This is why SSRF checks must decode, not string-match.
ReadCloud Metadata Endpoints and SSRF
Every major cloud gives an instance a metadata service at a fixed link-local address, and it can return temporary credentials for the instance's role. That makes it the single highest-value SSRF target. Knowing the endpoints, and the IMDSv2-style defenses, is essential for both attack understanding and defense.
ReadDefending Against SSRF with Allow-Lists
The durable SSRF defense is an allow-list of intended destinations, combined with resolving the address before you trust it and re-checking after redirects. Block-lists of internal ranges help, but they lose to obfuscation and DNS rebinding. This is the layered approach that holds up.
ReadDangerous URL Schemes in SSRF
SSRF is not limited to http. Schemes like file, gopher, dict, and ftp let an attacker read local files or craft raw bytes to internal services such as Redis and SMTP. A URL fetcher that does not restrict the scheme hands an attacker a far more powerful primitive than a plain web request.
Read