invicti.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | Broken Object-Level Authorization (BOLA): What It Is and How to Prevent ItAPI Sec | Reference explaining Broken Object-Level Authorization (BOLA), the most common API vulnerability, where unchecked object identifiers expose sensitive data. It details how attackers exploit BOLA by manipulating identifiers, the risks in microservices, and secure coding practices involving server-side authorization checks on every request. The article highlights compliance implications under GDPR and HIPAA, and prevention strategies including robust authorization logic, opaque identifiers, and automated API security testing to detect variants like insecure direct object references (IDOR). |
| 2026-04-17 2026 | Code Execution via SSTI Ruby ERB (Invicti)SSTI | Library for detecting Server-Side Template Injection (SSTI) in Ruby ERB. This vulnerability can allow an attacker to execute arbitrary code or system commands by improperly using template engine tags instead of string literals. The library focuses on the risk of code execution when user-supplied data is directly included in templates. Developers should pass user-controlled parameters as template parameters rather than concatenating them directly into the template. |
| 2026-04-17 2026 | JWT Forgery via unvalidated jku parameter (Invicti)JWT | Library for detecting JWT forgery via unvalidated `jku` parameters, a vulnerability identified by Invicti. This flaw allows attackers to tamper with JWT payloads, leading to privilege escalation, user impersonation, or unintended application states. It can also facilitate blind SSRF attacks. Mitigation involves whitelisting allowed JWK URLs and disabling HTTP redirection for token retrieval. |
| 2026-04-16 2026 | Out-of-Band XML External Entity (OOB XXE)XXE | Writeup on Out-of-Band XML External Entity (OOB XXE) vulnerabilities, detailing how attackers exfiltrate sensitive data like `/etc/passwd` using attacker-controlled HTTP servers and external DTDs. It contrasts OOB XXE with blind XXE and provides a proof-of-concept example. The writeup emphasizes that disabling XML external entity processing and external DTD support, as recommended by OWASP, is the sole effective prevention against both in-band and OOB XXE attacks. |
| 2026-04-16 2026 | SQL Injection Cheat Sheet - InvictiSQLi | Library of SQL injection payloads and techniques for MySQL, Microsoft SQL Server, Oracle, PostgreSQL, and SQLite, offering detailed technical information and attack vectors. This resource is useful for penetration testers and developers interested in web application security, covering exploitation methods like UNION attacks, blind SQL injection with IF statements and CASE expressions, hex value usage, string concatenation, and error-based injection, also noting the role of DAST tools like Invicti for automated detection. |
| 2026-04-11 2026 | JWT Signature Bypass via unvalidated jku parameterJWT | Technique for bypassing JWT signature verification using an unvalidated 'jku' parameter. This vulnerability allows attackers to control the JWK Set URL, enabling them to sign forged tokens with their own keys. Remediation involves strictly validating the 'jku' parameter against an allowlist of trusted URLs or disabling the parameter support entirely, and disabling HTTP redirects when fetching JWKS. |
| 2026-04-11 2026 | JWT Signature Bypass via kid Path TraversalJWT | Technique for JWT signature bypass via 'kid' path traversal, where manipulating the Key ID header parameter with directory traversal sequences allows attackers to force the application to use an attacker-controlled file as the signing key. This bypasses authentication by enabling the creation of validly-signed JWT tokens with arbitrary payloads. Remediation involves validating and sanitizing the 'kid' parameter using allowlisting or mapping tables, storing keys securely, and utilizing robust JWT libraries. |
| 2026-04-11 2026 | JWT Signature Bypass via kid SQL injectionJWT | Vulnerability writeup detailing JWT Signature Bypass via `kid` SQL injection. This flaw arises when the `kid` header parameter is used to query a database for cryptographic keys without proper input sanitization, enabling attackers to inject SQL and forge JWTs. Remediation involves using parameterized queries, strict `kid` validation, secure error handling, and robust key management. |
| 2026-04-11 2026 | OWASP Top 10 for LLMs 2025: Key Risks and Mitigation StrategiesAI | Survey of the OWASP Top 10 for LLM Applications (2025), detailing evolving technical and socio-technical risks like prompt injection and excessive agency. This updated list guides enterprises in securing generative AI ecosystems, from training pipelines to plugins, addressing data disclosure and systemic vulnerabilities relevant to GDPR, HIPAA, CCPA, and the EU AI Act. Invicti's proof-based scanning and LLM-specific checks are presented as tools to validate real risks and strengthen defenses. |
| 2026-04-10 2026 | Broken Access Control: How to Detect and PreventAuthZ | Library of techniques for detecting and preventing broken access control vulnerabilities, the most impactful risk category in the OWASP Top 10. This resource details exploitation methods like vertical and horizontal privilege escalation, insecure direct object references (IDOR), and bypasses via predictable identifiers, parameter tampering, and path variations, offering best practices to mitigate these widespread security weaknesses. |
| 2026-04-10 2026 | Preventing CSRF with the SameSite Cookie AttributeCSRF | Reference detailing the SameSite cookie attribute for preventing Cross-Site Request Forgery (CSRF) attacks. It explains how cookies function and how browsers send them with third-party requests, enabling CSRF. The attribute, with 'Strict' and 'Lax' values, instructs browsers to control cookie transmission, mitigating attacks like those exploiting POST requests to sensitive endpoints. The entry also notes Netsparker's implementation of checks for this attribute. |
| 2026-04-10 2026 | .NET JSON.NET Deserialization RCEDeser | Library vulnerability in .NET's JSON.NET (Newtonsoft.Json) enabling Remote Code Execution through insecure deserialization settings. When `TypeNameHandling` is not set to `None`, attackers can craft malicious JSON payloads to instantiate arbitrary .NET classes, leading to RCE. Remediation involves disabling `TypeNameHandling`, or implementing a `SerializationBinder` to whitelist allowed types, and validating JSON inputs. |
| 2026-04-10 2026 | Insecure Deserialization in Web ApplicationsDeser | Library detailing insecure deserialization vulnerabilities in web applications and APIs. It explains the concepts of serialization and deserialization, highlighting risks associated with trusting unvalidated data. The entry specifically mentions Java deserialization with gadget chains and PHP's `unserialize` function, as well as Python's `pickle` module. Consequences like remote code execution and authentication bypass are discussed, along with mitigation strategies including input validation and dynamic application security testing (DAST). |
| 2026-04-03 2026 | Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | InvictiRCE | Writeup of CVE-2024-23692, a Server-Side Template Injection (SSTI) vulnerability in Rejetto HTTP File Server (HFS) versions 2.3m and earlier. This flaw allows unauthenticated remote code execution via a malicious HTTP request. Remediation involves migrating to HFS 3.x, as version 2.x is end-of-life and unsupported. Compensating controls include network access restrictions, reverse proxy filtering, or temporary service shutdown. |
| 2026-04-03 2026 | Server-Side Request Forgery (SSRF) | InvictiSSRF | Library detailing Server-Side Request Forgery (SSRF), a vulnerability (CWE-918) allowing attackers to trick a server into sending unintended requests. This can expose sensitive data, internal networks, and cloud credentials, as seen in the Capital One breach. The library covers SSRF exploitation techniques, including accessing localhost, internal IPs, and cloud metadata services via HTTP/S, file schemas, and insecure XML parsing, contrasting it with CSRF and outlining prevention strategies like URL validation and protocol restriction. |
| 2025-08-14 2025 | Server-Side Request Forgery (SSRF)SSRF | Library for understanding and preventing Server-Side Request Forgery (SSRF), a vulnerability (CWE-918) where an attacker manipulates user-supplied URLs to force an application server to make unintended requests to internal or external systems. The library covers SSRF targets like localhost, private IPs, and cloud metadata endpoints, as well as exploitation techniques using schemes like `file://`. It distinguishes SSRF from CSRF and highlights its increased relevance in cloud-native and API-heavy architectures, referencing the Capital One breach as a notable example. Prevention strategies include validating URLs, restricting protocols, and using allowlists. |