Traces why anti-bot vendors compile fingerprinting and proof-of-work logic into WebAssembly, what a wasm module hides that minified JS cannot, and how far the wasm decompiler toolchain has caught up by 2026.
A reference on the two staple transforms in obfuscated anti-bot JavaScript: the dispatcher-driven flattened state machine and the rotated, encrypted string array, and how deobfuscators undo both.
Traces how Anubis gates HTTP requests behind a browser-solved SHA-256 proof-of-work puzzle: the challenge construction, the JWT cookie, the Mozilla heuristic, the FOSS adoption wave, and why native solvers undercut it.
A primary-source walk through decoding undocumented binary protocols: the protobuf wire format byte by byte, why a schema-less payload is still half-readable, MessagePack's self-describing prefixes, gRPC framing, and the tooling that reconstructs structure.
How to observe obfuscated JavaScript at runtime with CDP: setting breakpoints by URL and on exceptions, reading call frames, evaluating in a paused context, and tracing property access with Proxy wrappers.
Traces the anti-analysis layer inside anti-bot JavaScript: the debugger statement, timing checks, devtools-open detection, toString integrity checks, and self-defense against hooking, plus the moves analysts use to counter each one.
A reference on web application firewalls: positive vs negative security models, signature and parser-based matching, the CRS anomaly-scoring system and its paranoia levels, where a WAF sits in the request path, and how false positives get tuned away.
Traces why signature-based WAFs are bypassable in principle: encoding and normalization gaps, payload fragmentation, parser differentials between the firewall and the backend, and the structural case for positive security.
A reference deep dive into the OWASP Core Rule Set: its rule categories, the anomaly-scoring model, paranoia levels, the ModSecurity and Coraza engines that run it, and how the project got here.
Traces how HTTP/1.1's two ways of measuring a request body let a front-end and back-end disagree on where one request ends, how CL.TE and TE.CL desync turns that into socket poisoning, and what actually fixes it.
Traces how HTTP/2-to-HTTP/1.1 downgrading reintroduces request smuggling through H2.CL and H2.TE desync, why a binary length field stops protecting the message the moment an edge rewrites it, and what 2025 research showed is still unfixed.
Traces how server-side request forgery reaches the EC2 metadata endpoint at 169.254.169.254, how that exact chain exposed 106 million Capital One records in 2019, and how IMDSv2's session-token design closes the door.
Traces web cache deception from Omer Gil's 2017 PayPal disclosure through the 2020 and 2022 measurement studies to the 2024 delimiter research, and the defenses that actually close the cache-versus-origin gap.
Traces the same-origin policy from Netscape 1995 to RFC 6454, then how CORS relaxes it through preflights and Access-Control headers, the misconfigurations that break it, and where the model stands in 2026.
A primary-source reference for the cookie security attributes: what HttpOnly, Secure, SameSite, Domain, and Path each enforce, why the __Host-/__Secure- prefixes exist, and the gaps each one leaves behind.
A reference on CSP: the directive and source-list model, nonces, hashes and strict-dynamic, report-only mode, the Google study that showed most real-world policies were bypassable, and why retrofitting a strict policy is so painful.
Traces how the integrity attribute verifies a third-party script against a cryptographic hash, what a compromised CDN it stops, the dynamic-resource gap it cannot close, and why adoption stayed in single digits.
A single-incident deep dive into the June 2024 Polyfill.io attack: the February domain sale, the conditional payload injected into hundreds of thousands of sites, the evasion logic that hid it, and the takedown that followed.
Two npm supply-chain cases dissected: the 2018 event-stream maintainer handoff that smuggled a Copay wallet stealer through flatmap-stream, and the 2022 node-ipc protestware that wiped files in Russia and Belarus.
A single-incident deep dive into CVE-2024-3094: the multi-year social engineering of the xz maintainer, the obfuscated build-time backdoor planted into sshd, and the 500-millisecond timing anomaly that exposed it.
How Alex Birsan's 2021 research turned the name of a private package into remote code execution at 35 companies, why installers prefer the higher public version, and the scoping defenses that close the gap.
Traces how injected JavaScript skimmers lift card data from checkout pages, what the British Airways and Newegg code actually did, the third-party-script vectors, and the SRI, CSP, and PCI DSS 4.0 defenses.
Traces how a browser or plugin bug turned a page visit into code execution: the redirect chain, landing-page fingerprinting, the Flash and Java exploit-kit economy of 2010-2016, and the decline as browsers and Adobe killed the attack surface.
A primary-source history of the exploit-kit era: the fingerprint-then-exploit flow, the rental economy behind Angler, Nuclear, RIG and Magnitude, the 2016 Angler takedown, and the collapse that followed Flash's death.