Hands-on web security: SQL injection, XSS, SSRF, RCE, and the labs to practice all of them.
CVE-2026-23111 is a one-character nf_tables use-after-free that escalates any unprivileged Linux user to root through user namespaces, and a public exploit is now out. Here is how I detect it, the user-namespace mitigation that matters most, the kernel patch, and a safe VM lab to reproduce it.
Most database attacks want money. The Meow attack just wipes your data, renames what is left with a -meow suffix, and walks away with no ransom note and no explanation. Here is how the bot works, why it exists, and how to avoid being harvested.
CVE-2026-31431 (Copy Fail) is a Linux kernel local privilege escalation that turns any unprivileged shell into root on essentially every distribution shipped since 2017. Here is how I check it, patch it, mitigate it pre-patch, and understand how the exploit actually works.
In May 2026 an automated bot wiped a terabyte of Elasticsearch data on a personal project of mine, through a port I left open. Here is exactly how the ransomware works, why it found me, and the boring one-time fixes that stop it.
The API security tools I actually reach for in 2026: Burp Suite, mitmproxy, OWASP ZAP, kiterunner, Postman, jwt_tool, graphql-cop, and the commercial platforms. Strengths, weaknesses, and how I decide which to use.
The file upload vulnerability tools I actually reach for in 2026: fuxploider, Burp Upload Scanner, weevely, exiftool, ffuf, and the webshell repos. Strengths, weaknesses, and how I decide which to use.
The application-layer DoS testing tools I actually use in 2026 for resilience and load testing: k6, wrk2, slowhttptest, recheck, h2spec/h2load, Burp Turbo Intruder, Locust, and ZAP. Strengths, weaknesses, and how I pick.
The clickjacking tools I actually reach for in 2026: PoC generators, OWASP ZAP, DNSChkr HTTP Security Headers, Mozilla Observatory, Burp Active Scanner, and the post-Yibelo double-clickjacking PoC repos. Honest framing on a thin tool space.
The cross-site scripting tools I actually reach for in 2026: XSStrike, Dalfox, kxss/Gxss, Burp Suite with DOM Invader, BeEF, XSS Hunter, OWASP ZAP, and Caido. Strengths, weaknesses, and how I decide which to use.
The insecure deserialization tools I actually use in 2026: ysoserial for Java, ysoserial.net for .NET, marshalsec, PHPGGC, Burp's Java Deserialization Scanner, GadgetInspector, and the honest story on Python pickle. Strengths, weaknesses, and how I pick.
The LFI and path traversal tools I actually reach for in 2026: LFISuite, LFImap, dotdotpwn, ffuf with SecLists, Burp Intruder, kadimus, and PayloadsAllTheThings. Honest strengths, weaknesses, and when each one wins.
The SSRF tools I actually reach for in 2026: SSRFmap, Gopherus, Burp Collaborator, interactsh, ffuf, and the PayloadsAllTheThings cloud-metadata kit. Strengths, weaknesses, and how I decide which to use.
The SQL injection tools I actually reach for in 2026: sqlmap, ghauri, jSQL Injection, NoSQLMap, Havij (and why I do not use it), plus Burp Suite's role and the manual workflow. Strengths, weaknesses, and how I decide which to use.
The CSRF tools I actually reach for in 2026: Burp Suite's PoC generator, OWASP ZAP, xsrfprobe, Param Miner for hidden token discovery, plus the manual Origin and SameSite workflow. Honest framing on a defence class that mostly won.
The XXE tools I actually reach for in 2026: XXEinjector, Burp Suite with Collaborator, interactsh, oxml_xxe, docem, PayloadsAllTheThings, and ffuf. Why XXE is a manual-heavy class, what libxml hardening changed, and how I decide.
The remote code execution tools I actually reach for in 2026: commix for OS command injection, SSTImap for template injection, msfvenom and Metasploit for payloads, Sliver for the C2 layer, and Burp Collaborator for blind variants. Honest trade-offs.
Visitors to your WordPress site see a fake 'Cloudflare verification' page telling them to paste a command into Windows Run or Terminal. That's ClickFix, the social-engineering campaign that first appeared in early 2024 and exploded across compromised WordPress sites by autumn. What it does, where the injection lives in your site, and how to clean it without missing the persistence.
A field-tested LFImap reference: target selection, traversal wordlists, PHP wrappers (filter/input/data/expect/file), command injection, RFI, log/proxy/cookie shaping, second-order requests, and the `PWN` placeholder. Grounded in the real argparse surface.
A complete LFImap walkthrough against a deliberately vulnerable lab app: endpoint identification, baseline scan, traversal, php://filter source disclosure, php://input RCE, and log poisoning. Every step reproducible with one docker compose command.
A field-tested Dalfox v3 reference: target specification, detection tuning, parameter mining, blind XSS callbacks, evasion, pipeline patterns, and output shaping. Updated for the v3 Rust rewrite that consolidates everything under `dalfox scan`.
A complete Dalfox walkthrough against a deliberately vulnerable XSS lab: reflected, stored, and DOM sinks, captured request files, blind callbacks, custom payloads, and a working cookie-theft chain. Updated for the Dalfox v3 Rust rewrite (May 2026) with the unified scan subcommand.
A complete commix walkthrough against a deliberately vulnerable lab app: identify the sink, capture the request, run the classic, time-based, and file-based techniques, pop an os-shell, catch a reverse TCP, and exploit the escapeshellcmd argument-injection gap.
A field-tested SSRFmap reference: target capture, the real module list (readfiles, portscan, redis, fastcgi, mysql, smtp, axfr, aws, gce, alibaba, digitalocean, github, zabbix, postgres, docker, socksproxy, smbhash, tomcat, memcache, networkscan, custom), handler setup, cloud metadata workflows, and where Burp Repeater is still the better tool.
A complete SSRFmap walkthrough against a deliberately vulnerable lab: identify the sink, capture the Burp request, run detection, read local files, scan internal hosts, bypass a broken allowlist, hit the IMDS mock, and confirm blind SSRF out of band.
The backup plugin running inside WordPress is the same WordPress the attacker just compromised. A 3-2-1 backup strategy with restic or borg, stored outside the trust boundary, and verified by monthly test restores. Configuration, retention, and the exact restore sequence after a compromise.
API security in depth: why the API surface is now larger than the web-app surface it replaced, a walk through the OWASP API Top 10 (2023), BOLA and mass assignment in detail, JWT and GraphQL specifics, and the defences that actually work.
Wordfence, Sucuri, and every in-WordPress security plugin can be disabled by malware running with the same privileges. The fix is monitoring at a layer the attacker can't touch: AIDE, maldet, or a custom cron-driven script running as root. With working configurations for each.
Blind SSRF is the variant where the server fetches the URL but the application hides the response. I walk the timing oracles, DNS and HTTP out-of-band exfil patterns, blind port scanning, and the defences that work even when nothing comes back to the attacker.
A field reference for XXEinjector: target options, request file format with the XXEINJECT marker, OOB and direct modes, PHP filter wrappers, file enumeration, logging, and custom listeners. Grouped by what you are trying to do.
WordPress security plugins running inside WordPress can be disabled by anything that runs inside WordPress, including the malware they're supposed to catch. The four mechanisms attackers use to silently turn off Wordfence, Sucuri, Jetpack, WP Activity Log, and similar tools, plus the server-side monitoring layer that doesn't depend on WordPress being trustworthy.
A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.
A complete fuxploider walkthrough against a deliberately vulnerable upload lab: baseline, extension bypass via .phar, lying about MIME, the double-extension trick against Apache AddHandler, a working webshell, and a Weevely pivot. Reproducible with one docker compose command.
OpenSnitch is an application firewall for Linux that asks per process before any program talks to the network. Install it, answer the prompts, and write rules that stick.
A complete XXEinjector walkthrough against a deliberately vulnerable PHP/libxml app: in-band file read, PHP filter source disclosure, blind out-of-band exfil, XInclude, and the textbook recursive-PE chain that no longer fires on libxml 2.9.14.
wp-config.php is the first PHP file WordPress loads. The defaults from the stock installation are minimal; the hardened defaults take five minutes to apply and close most of the attack surface that lives below the plugin layer. A complete annotated template covering disabled file editing, forced HTTPS, secure salt rotation, debug behavior, and the file permissions that matter.
A cleanup that doesn't identify the entry point is temporary. The methodical access-log analysis that finds exactly which plugin CVE, credential vector, or upload path got the attacker in, with the grep one-liners, the timestamp correlation against file modification times, and the cases where the entry is in a log other than the access log.
Application-layer (L7) denial of service: Slowloris-class slow reads, HTTP/2 Rapid Reset and CONTINUATION flood, ReDoS, decompression bombs, hash flooding, GraphQL abuse, and the defences that actually hold.
Use USBGuard to block USB devices on Linux: generate a policy from the hardware you trust, set the daemon to reject everything else, and allow new devices by hand.
Fake administrator accounts that appear in wp_users without anyone creating them are one of the most common signs of a WordPress compromise. The detection SQL, the SQL that finds the mechanism that's creating them, and the cleanup that has to happen at both the user level and the persistence level for the account creation to stop.
A field-tested commix reference for OS command injection: targeting, request shaping, detection techniques, tamper scripts, enumeration, shell options, file operations, and evasion. Grouped by what you are actually trying to do.
Thousands of ?wordfence_lh=1&hid= URLs in Google Search Console come from Wordfence's Live Traffic feature. The setting that stops them, the check to run first, and why robots.txt is the wrong fix.
Insecure deserialization deep dive: how object reconstruction becomes remote code execution across Java, .NET, Python, PHP, Ruby, and Node, with gadget chains, real CVEs, and the defences that actually work.
Authorization header SQL injection lives in hand-rolled API key schemes that query a tokens table by the bearer value. JWT-based auth is mostly safe; custom token schemes are not. The vulnerable code, manual exploit, sqlmap commands, and the cleaner defence.
Set up LUKS remote unlock over SSH with Dropbear in the initramfs, so an encrypted root server can finish booting after a reboot without a console or KVM.
Hashcat benchmark numbers for the NVIDIA GeForce GTX 1080 Ti across 152 hash modes, with a modern context: how the 1080 Ti compares to the RTX 3090, 4090, and 5090, and when it's still worth using in 2026.
WordPress malware that survives cleanups isn't stronger malware; it's malware with persistence. A complete catalog of where attackers hide the re-infection logic, wp_options autoload, WP-Cron, server crontab, .htaccess auto_prepend, mu-plugins, drop-ins, custom REST endpoints, and modified wp-config, with detection scripts for each.
How to get sqlmap past commercial WAFs. Tamper scripts that still work, request shaping (delays, chunked encoding, HPP), fingerprint reduction, when tamper chains fail and you need to drop to manual Burp Repeater, and the defender's view of what these techniques look like in the logs.
Thousands of hits to wp-admin/admin-ajax.php are almost always your own site: WordPress Heartbeat and plugins, not a DDoS. How to read the action parameter, when it is a real attack, and why blocking the file breaks your site.
SSH refuses your key with WARNING: UNPROTECTED PRIVATE KEY FILE. The one-line fix is chmod 600, plus the full set of ~/.ssh permissions and ownership SSH actually checks. Linux, macOS, Windows.
ssh_scan is Mozilla's SSH configuration and policy scanner: point it at a host, get a JSON report of the algorithms the daemon offers and where they fail a security policy.
Host header SQL injection happens in multi-tenant SaaS apps that look up the tenant by hostname. Same pattern applies to X-Forwarded-Host. The vulnerable code, how to test it by hand, the sqlmap one-liner, and the defence that scales with tenant count.
Grant one user access to a file without changing its group, using POSIX ACLs with setfacl, reading them with getfacl, and setting defaults that new files inherit.
XXE deep dive: in-band file reads, out-of-band exfiltration via external entities, XInclude, billion-laughs DoS, and what libxml 2.9.x's hardening actually changed in 2026.
Lock SSH down to keys only: disable password and root login in sshd_config, the settings that actually matter, and how to apply them without locking yourself out.
If one site in a shared hosting account gets compromised, every other site under the same Linux user is at risk. Cleaning a single site without addressing the shared file system leaves the door open for reinfection from any sibling site. The structural problem and the realistic fixes, open_basedir, suEXEC, isolated users, and when to move hosts.
Clickjacking end to end: invisible iframes, like-jacking and payment-jacking, the 2024 double-clickjacking PoC that sidesteps frame-ancestors, and the headers that actually stop the attack.
Why SSH warns that the remote host identification has changed, when it is safe to clear, and the one command that removes the stale known_hosts entry: ssh-keygen -R.
JSON-body SQL injection is the modern face of the bug: REST APIs, GraphQL resolvers, and ORM raw-query escape hatches. How developers paint themselves into the corner with template strings around JSON fields, the manual exploit, sqlmap commands with --data and *, and the defence.
Disable direct root login over SSH and on the console, lock the root password, and move everyone to a normal account plus sudo, without locking yourself out.
CSRF in 2026: how the classic GET/POST/JSON variants still work, what SameSite=Lax actually changed in 2020, and the defences that hold up: anti-CSRF tokens, Origin validation, Fetch Metadata, and custom headers.
How to run sqlmap through Tor or proxychains correctly. The native --tor flag, the proxychains wrapper, DNS leak prevention, rate-limit reality, when not to do it, and how to verify your traffic is actually anonymised before testing.
Configure NOPASSWD in a sudoers drop-in for a user or a specific command, the security trade-offs, and how to scope it tightly so it is not a free root shell.
Point sudo at your own warning text with a sudo lecture file: set lecture and lecture_file in sudoers via visudo, control when it shows, and write the message users see before their first sudo.
What the s and t bits do, why /usr/bin/passwd is setuid and /tmp is sticky, how to set them, and how to audit a system for risky setuid binaries.
Remote code execution explained from the sink level up. Command injection, argument injection past escapeshellarg, server-side template injection, and direct eval, with a Dockerised lab that reproduces each one, plus the defences that actually contain blast radius.
Referer-header SQL injection lives in click-attribution tables, marketing analytics, and anti-CSRF logging. Same shape as User-Agent injection but distinct enough to need its own treatment. Vulnerable code, curl exploit, sqlmap commands, defence.
Generate a hardware-backed SSH key on a YubiKey with one ssh-keygen command. How FIDO2/U2F SSH keys work, the difference between ed25519-sk and ecdsa-sk, resident keys, and the firmware and OpenSSH versions you need.
Set maximum password age, warning days, and an account expiry date with chage, and read the current aging with chage -l. The full password-lifecycle reference.
Add, change, or remove the passphrase on an existing SSH key with ssh-keygen -p. No need to regenerate the key or reinstall it on any server.
Set an SSH login banner that shows before authentication with the Banner directive in sshd_config. The difference from /etc/motd, the config, and the caveats.
Edit sudo rules without locking yourself out: why visudo syntax-checks before saving, drop-in files in /etc/sudoers.d, and the rules you actually need.
A step-by-step methodology for finding and removing malware from a compromised WordPress site, written by a Security+ certified engineer who's been cleaning sites since the early WordPress 2.x era. Covers every attack vector: file backdoors, database injections, .htaccess hijacks, wp-config tampering, and recurring reinfection. Originally written in 2016, updated regularly as new patterns emerge.
X-Forwarded-For SQL injection lives in geolocation tables, audit logs, IP-based ban lists, and rate-limit lookups. Same family includes X-Real-IP, X-Client-IP, True-Client-IP. The vulnerable code, manual exploit with curl, sqlmap commands, and the fix.
A complete sqlmap walkthrough against a deliberately vulnerable lab app: target identification, baseline, capture, detection, fingerprinting, enumeration, dumping, file read, and OS shell. Every step reproducible with one docker compose command.
Run a command as a different user with sudo -u or runuser, including as a service account that has no login shell, and the difference between the two.
Set up LUKS disk encryption with cryptsetup: format a block device, open it, put a filesystem on it, and mount it. The four commands, plus the header backup nobody warns you about.
How SSRF actually works, the Capital One breach as the canonical case study, every modern variant (blind, DNS rebinding, cloud metadata, wrapper schemes, tool-call orchestrators), reproducible exploits against a Dockerised lab, IMDSv2, and the allowlist patterns that hold up in production.
Cookie SQL injection happens when an application reads a cookie value and concatenates it into a query, almost always for preference, theme, A/B-bucket, or hand-rolled session lookups. The vulnerable code patterns, manual exploit, sqlmap commands, detection, and the fix.
Disable a login without deleting the account using usermod -L, passwd -l, an expired account, or a nologin shell, and how to reverse each one.
User-Agent SQL injection lives in analytics tables, audit logs, and bot-detection lookups. The vulnerable code, why developers think it's safe, the manual curl exploit, the sqlmap one-liner, the detection signals, and the fix at the code and infrastructure level.
Practical nmap command examples I reach for: host discovery, the default port scan, service and version detection, OS fingerprinting, scoped scans with timing control, and the scripting engine, with notes on when each one needs root.
A practical map of every place SQL injection can live inside an HTTP request: query string, URL path, request body (form, JSON, XML, multipart filename), and every header from User-Agent to Authorization. Where attackers look, why developers miss each one, and where to start hardening.
Expire a password with chage -d 0 or passwd -e so the user must set a new one the next time they log in. The difference from locking, and how to undo it.
A field-tested sqlmap reference: target specification, request shaping, detection tuning, DBMS fingerprinting, enumeration, dumping, file system access, OS command execution, evasion, and tamper scripts. Grouped by what you are actually trying to do.
Remove a user with userdel, including the home directory and mail spool with -r, plus what to do about files they owned elsewhere on the system.
How attackers turn an upload form into RCE: extension blacklists, MIME validation, double extensions, polyglots, and the validation patterns that actually work in 2026.
Change your own or another user's password with passwd, force a reset at next login, and the rules root can set that ordinary users cannot.
Web servers that ship their .git/ directory to production hand their entire source history to anyone with curl. I walk the detection, the reconstruction (with four reference dumpers under 200 lines each), the credential mining, and the one-line nginx fix.
Cross-site scripting deep dive: three variants (reflected, stored, DOM), the cookie-theft chain end to end, and the modern defences (CSP, Trusted Types, HttpOnly, framework auto-escaping) that actually move the needle.
Grant sudo by adding a user to the sudo or wheel group, or with a sudoers drop-in, and how to scope it to specific commands instead of full root.
How SQL injection actually works, what every major variant looks like (union-based, error-based, boolean blind, time blind, out-of-band, second-order, NoSQL), how to exploit each one against a vulnerable app, and how to defend against them at the code, query, and infrastructure layers.
WPScan v3.8+ usage reference for WordPress security audits: install on Linux/macOS, API token setup, the command patterns that matter (enumerate users, vulnerable plugins, brute force), JSON output, and how WPScan compares to Wordfence, Sucuri, and WPSec.
A practitioner's map of every major web application vulnerability class: SQL injection, XSS, CSRF, SSRF, RCE, file upload, path traversal, authentication and session attacks, deserialization, clickjacking, XXE, supply chain, DoS, DNS, and API attacks. How each works, how to exploit it in a lab, and how to defend against it.