How to fix common vulnerabilities
Step-by-step fix guides for the vulnerability classes that come up most often in real audits. Each guide has detection steps, ordered fix instructions, code examples in multiple languages, and verification tests. Built around the same playbook our scanners use.
How to fix BOLA / IDOR
Broken Object Level Authorization — the #1 OWASP API vulnerability. Multi-role replay testing, fix patterns, and verification.
Read guideHow to fix SQL injection
Parameterized queries, ORM usage patterns, escape strategies and the cases where they all fail. Plus tests to verify the fix sticks.
Read guideHow to fix XXE (XML External Entity)
Disabling external entities in 6 popular XML parsers (libxml2, lxml, Java, .NET, PHP, Node). Plus DTD attack, file read and SSRF prevention.
Read guideHow to fix SSRF (Server-Side Request Forgery)
Allow-list approach, URL validation, IMDS protection (cloud metadata), DNS rebinding defense. The 6 fix layers in the right order.
Read guideHow to fix JWT alg:none vulnerability
The classic JWT bypass. Why it still happens in 2026 (yes, really), how to lock the algorithm in 5 popular libraries, and how to test you got it right.
Read guideHow to fix CORS misconfiguration
Wildcard with credentials, reflected origin, null origin, trusting subdomain — the 4 fatal CORS patterns and how to fix each in nginx, Express and Next.js.
Read guideHow to fix XSS (Cross-Site Scripting)
All three variants — reflected, stored, DOM-based. Output escaping in React/Vue, sanitization, CSP setup, HttpOnly cookies, DOM XSS audit patterns.
Read guideHow to fix Path Traversal
Why stripping ../ doesn't work. Path canonicalization + allow-listing in Node, Python, Go, PHP. Plus zip-slip and LFI variants.
Read guideHow to fix NoSQL Injection
MongoDB / CouchDB / DynamoDB. $ne / $gt / $regex / $where injection. Type casting, schema validation, and disabling server-side JavaScript.
Read guideHow to fix SSTI (Server-Side Template Injection)
Jinja2, Twig, Freemarker, ERB, Handlebars. Don't render user input AS templates — render it INTO templates. Sandboxing and isolation patterns.
Read guideHow to fix CSRF
SameSite cookies, CSRF tokens, double-submit pattern, Origin/Referer validation. The 5 fix layers and when each matters.
Read guideHow to fix Insecure Deserialization
Java ObjectInputStream, Python pickle, PHP unserialize, Ruby YAML, .NET BinaryFormatter. Why JSON is the answer, and how to migrate safely.
Read guideHow to fix Insecure File Upload
Layered defense: extension + MIME + magic bytes + random filenames + separate origin + ClamAV. The chain that catches polyglot files and zip-slip.
Read guideHow to fix Business Logic Abuse
Price manipulation, quantity tampering, status spoofing, mass assignment. Server-authoritative defenses for checkouts and state machines.
Read guideHow to fix Race Conditions
TOCTOU, double-spend, inventory oversell. DB transactions, atomic UPDATE WHERE, distributed locks, idempotency keys.
Read guideHow to fix Prototype Pollution
JavaScript-specific. __proto__ / constructor.prototype attacks via _.merge / Object.assign. Object.create(null), Map, sanitization, dependency upgrades.
Read guideHow to fix Host Header Injection
Password reset poisoning, cache poisoning, SSRF via Host. Allow-list hostnames at the framework + proxy + cache layers.
Read guideHow to fix Command Injection
OS command injection / RCE. Pass arguments as arrays (no shell), allow-list commands, use language-native libraries, sandbox subprocesses.
Read guideWant us to scan and tell you which apply?
The Free Trial runs all the detection logic from these guides against your homepage automatically. No credit card.
Run free vulnerability scan