[{"data":1,"prerenderedAt":190},["ShallowReactive",2],{"blog-category-vulnerabilities":3},[4,10,16,20,25,31,37,41,46,51,55,61,65,70,74,78,82,86,91,95,100,104,108,112,117,121,125,130,134,138,142,147,151,155,159,163,168,173,178,182,186],{"path":5,"title":6,"description":7,"date":8,"readTime":9},"/blog/vulnerabilities/slopsquatting","Slopsquatting: How AI Coding Tools Install Fake Packages","AI coding tools hallucinate package names that don't exist. Attackers register those names with malware. Here's how slopsquatting works and how to protect your app.","2026-03-29","8 min read",{"path":11,"title":12,"description":13,"date":14,"readTime":15},"/blog/vulnerabilities/agentic-ai-security-risks","Agentic AI Security Risks: What Cursor Agent, Devin, and Codex Mean for Your Code","AI agents don't just suggest code. They write features, install packages, and modify configs autonomously. Here's the new attack surface this creates and what developers should do about it.","2026-03-13","9 min read",{"path":17,"title":18,"description":19,"date":14,"readTime":9},"/blog/vulnerabilities/ai-generated-code-security-flaws","45% of AI-Generated Code Has Security Flaws: What the Research Says","Veracode found that 45% of AI-assisted code contains security flaws. Stanford research confirms AI coding assistants produce less secure code. Here's what the data shows and what to do about it.",{"path":21,"title":22,"description":23,"date":14,"readTime":24},"/blog/vulnerabilities/vibe-hacking-exploits","Vibe Hacking: How Attackers Exploit AI-Built Apps","Vibe hacking targets predictable patterns in AI-generated code. Learn the 6 attack vectors hackers use against apps built with Cursor, Bolt, and Lovable, and how to defend against each one.","10 min read",{"path":26,"title":27,"description":28,"date":29,"readTime":30},"/blog/vulnerabilities/how-ai-apps-are-vulnerable","How AI-Generated Apps Are Vulnerable to Attacks (and How to Prevent Them)","AI coding tools produce working apps fast, but they also produce predictable security holes. Here's an attack-by-attack breakdown of the most exploited vulnerabilities in AI-built apps.","2026-03-10","20 min read",{"path":32,"title":33,"description":34,"date":35,"readTime":36},"/blog/vulnerabilities/vulnerable-dependencies","Vulnerable Dependencies Explained","Third-party packages can contain security vulnerabilities that put your app at risk. Learn how to find and fix vulnerable dependencies in your vibe-coded projects.","2026-01-27","7 min read",{"path":38,"title":39,"description":40,"date":35,"readTime":24},"/blog/vulnerabilities/xss","Cross-Site Scripting (XSS) Explained in Plain English","XSS attacks let hackers inject malicious scripts into your web pages. Learn how XSS works, see real examples, and discover how to protect your vibe-coded app.",{"path":42,"title":43,"description":44,"date":35,"readTime":45},"/blog/vulnerabilities/xxe","XXE (XML External Entity) Explained","XXE attacks exploit XML parsers to read files, make server requests, or crash applications. Learn how XXE works and why modern apps that don't use XML are usually safe.","6 min read",{"path":47,"title":48,"description":49,"date":50,"readTime":15},"/blog/vulnerabilities/sql-injection","SQL Injection Explained: How Attackers Manipulate Your Database","SQL injection lets attackers read, modify, or delete your database through input fields. Learn how SQLi works and how to protect your vibe-coded app with parameterized queries.","2026-01-26",{"path":52,"title":53,"description":54,"date":50,"readTime":45},"/blog/vulnerabilities/websocket-security","WebSocket Security Explained","WebSockets bypass traditional HTTP security controls. Learn about WebSocket authentication, origin validation, and common security pitfalls to avoid.",{"path":56,"title":57,"description":58,"date":59,"readTime":60},"/blog/vulnerabilities/subdomain-takeover","Subdomain Takeover Explained","Subdomain takeover happens when DNS points to an unclaimed external service. Attackers can claim that service and host content on your subdomain.","2026-01-23","5 min read",{"path":62,"title":63,"description":64,"date":59,"readTime":60},"/blog/vulnerabilities/timing-attacks","Timing Attacks Explained","Timing attacks measure how long operations take to extract secrets. Learn about timing-safe comparisons and how to protect sensitive operations.",{"path":66,"title":67,"description":68,"date":69,"readTime":60},"/blog/vulnerabilities/mass-assignment","Mass Assignment Explained","Mass assignment lets attackers modify fields they should not have access to by adding extra properties to requests. Learn how to whitelist allowed fields.","2026-01-22",{"path":71,"title":72,"description":73,"date":69,"readTime":60},"/blog/vulnerabilities/missing-rate-limiting","Missing Rate Limiting Explained","Without rate limiting, attackers can brute force passwords, scrape data, or DoS your app. Learn how to implement rate limiting in your API and authentication.",{"path":75,"title":76,"description":77,"date":69,"readTime":60},"/blog/vulnerabilities/regex-dos","ReDoS (Regex DoS) Explained","ReDoS attacks use malicious input to make regular expressions take exponential time. Learn how to identify and fix vulnerable regex patterns in your code.",{"path":79,"title":80,"description":81,"date":69,"readTime":9},"/blog/vulnerabilities/sensitive-data-exposure","Sensitive Data Exposure Explained","Sensitive data exposure happens when personal, financial, or confidential information isn't properly protected. Learn how data leaks happen and how to secure user data.",{"path":83,"title":84,"description":85,"date":69,"readTime":36},"/blog/vulnerabilities/ssrf","SSRF (Server-Side Request Forgery) Explained","SSRF lets attackers make your server send requests to internal systems. Learn how SSRF works and how to protect server-side URL fetching in your app.",{"path":87,"title":88,"description":89,"date":90,"readTime":45},"/blog/vulnerabilities/prototype-pollution","Prototype Pollution Explained","Prototype pollution lets attackers inject properties into JavaScript object prototypes, affecting all objects. Learn how it works and how to prevent it.","2026-01-21",{"path":92,"title":93,"description":94,"date":90,"readTime":45},"/blog/vulnerabilities/race-conditions","Race Conditions Explained","Race conditions let attackers exploit timing gaps between check and use. Learn how TOCTOU bugs work and how to prevent them with proper locking and atomicity.",{"path":96,"title":97,"description":98,"date":99,"readTime":45},"/blog/vulnerabilities/insufficient-logging","Insufficient Logging Explained","Without proper logging, you can't detect attacks or investigate breaches. Learn what to log, what not to log, and how to set up security monitoring.","2026-01-20",{"path":101,"title":102,"description":103,"date":99,"readTime":60},"/blog/vulnerabilities/open-redirect","Open Redirect Explained","Open redirects let attackers use your site to redirect users to malicious pages. Learn how open redirects work and how to safely handle redirects.",{"path":105,"title":106,"description":107,"date":99,"readTime":60},"/blog/vulnerabilities/path-traversal","Path Traversal Explained","Path traversal lets attackers read files outside your intended directory using ../ sequences. Learn how to safely handle file paths in your application.",{"path":109,"title":110,"description":111,"date":99,"readTime":9},"/blog/vulnerabilities/security-misconfiguration","Security Misconfiguration Explained","Security misconfiguration covers default passwords, verbose errors, missing security headers, and exposed admin panels. Learn the common misconfigs in vibe-coded apps.",{"path":113,"title":114,"description":115,"date":116,"readTime":15},"/blog/vulnerabilities/exposed-api-keys-explained","Exposed API Keys: What They Are and Why They're Dangerous","API keys in your frontend code can lead to stolen data and surprise bills. Learn what exposed API keys are, how to find them, and how to fix the problem.","2026-01-19",{"path":118,"title":119,"description":120,"date":116,"readTime":60},"/blog/vulnerabilities/insecure-cookies","Insecure Cookies Explained","Missing cookie security flags can expose session tokens to theft via XSS or network attacks. Learn how to set HttpOnly, Secure, and SameSite flags properly.",{"path":122,"title":123,"description":124,"date":116,"readTime":60},"/blog/vulnerabilities/insecure-file-permissions","Insecure File Permissions Explained","Improper file permissions can expose sensitive files to unauthorized users. Learn how to set proper permissions for config files, uploads, and secrets.",{"path":126,"title":127,"description":128,"date":129,"readTime":9},"/blog/vulnerabilities/exposed-api-keys","Exposed API Keys Explained: The #1 Vibe Coding Vulnerability","API key exposure is the most common security issue in AI-generated code. Learn what exposed API keys are, why they're dangerous, and how to fix them fast.","2026-01-16",{"path":131,"title":132,"description":133,"date":129,"readTime":36},"/blog/vulnerabilities/graphql-vulnerabilities","GraphQL Vulnerabilities Explained","GraphQL APIs have unique security challenges including introspection leaks, deep queries, and batching attacks. Learn how to secure your GraphQL endpoint.",{"path":135,"title":136,"description":137,"date":129,"readTime":45},"/blog/vulnerabilities/insecure-deserialization","Insecure Deserialization Explained","Insecure deserialization lets attackers execute code by manipulating serialized data. Learn how this vulnerability works and why it's rare in modern JavaScript apps.",{"path":139,"title":140,"description":141,"date":129,"readTime":36},"/blog/vulnerabilities/jwt-vulnerabilities","JWT Vulnerabilities Explained","JWT implementation mistakes can let attackers forge tokens or bypass authentication. Learn about algorithm confusion, weak secrets, and proper JWT validation.",{"path":143,"title":144,"description":145,"date":146,"readTime":45},"/blog/vulnerabilities/cors-misconfiguration","CORS Misconfiguration Explained","CORS misconfiguration can expose your API to unauthorized cross-origin requests. Learn how CORS works, common mistakes, and how to configure it securely.","2026-01-15",{"path":148,"title":149,"description":150,"date":146,"readTime":9},"/blog/vulnerabilities/csrf","CSRF Explained: Cross-Site Request Forgery in Plain English","CSRF tricks users into performing unwanted actions on sites where they're logged in. Learn how CSRF attacks work and how to protect your app with tokens and SameSite cookies.",{"path":152,"title":153,"description":154,"date":146,"readTime":45},"/blog/vulnerabilities/dns-rebinding","DNS Rebinding Explained","DNS rebinding lets attackers bypass same-origin policy by switching DNS resolution mid-session. Learn how it works and how to protect your local services.",{"path":156,"title":157,"description":158,"date":146,"readTime":60},"/blog/vulnerabilities/hardcoded-credentials","Hardcoded Credentials Explained","Hardcoded passwords and secrets in source code get pushed to repos and exposed. Learn how to find and remove hardcoded credentials from your codebase.",{"path":160,"title":161,"description":162,"date":146,"readTime":9},"/blog/vulnerabilities/idor","IDOR Explained: Insecure Direct Object Reference","IDOR lets attackers access other users' data by changing IDs in URLs or requests. Learn how this common vulnerability works and how to protect your vibe-coded app.",{"path":164,"title":165,"description":166,"date":167,"readTime":60},"/blog/vulnerabilities/email-header-injection","Email Header Injection Explained","Email header injection lets attackers add CC/BCC recipients or modify email content through form inputs. Learn how to sanitize email inputs properly.","2026-01-14",{"path":169,"title":170,"description":171,"date":172,"readTime":60},"/blog/vulnerabilities/clickjacking","Clickjacking Explained","Clickjacking tricks users into clicking hidden elements on your site embedded in malicious pages. Learn how to prevent it with X-Frame-Options and CSP headers.","2026-01-13",{"path":174,"title":175,"description":176,"date":177,"readTime":45},"/blog/vulnerabilities/api-authentication-bypass","API Authentication Bypass Explained","API authentication bypass lets attackers access protected endpoints without proper credentials. Learn about common bypass techniques and how to prevent them.","2026-01-12",{"path":179,"title":180,"description":181,"date":177,"readTime":45},"/blog/vulnerabilities/broken-access-control","Broken Access Control Explained","Broken access control is the #1 web security risk. It happens when users can access resources or actions they should not be authorized for. Learn how to fix it.",{"path":183,"title":184,"description":185,"date":177,"readTime":24},"/blog/vulnerabilities/broken-auth","Broken Authentication Explained: When Login Security Fails","Broken authentication lets attackers bypass login systems, take over accounts, or impersonate users. Learn the common auth failures in vibe-coded apps and how to fix them.",{"path":187,"title":188,"description":189,"date":177,"readTime":60},"/blog/vulnerabilities/command-injection","Command Injection Explained","Command injection lets attackers run arbitrary system commands through your application. Learn how it works and how to safely execute commands without risk.",1775843918546]