AYF*R
VOL. 1 · SECURITY EST. 2026

ARE
YOU F*
READY?

Appsec for developers. The fun way.

THIS ISSUE

The SQLi Killer: Parameterized Queries

READ POST →
10 posts published
// POSTS
01 // BRIEF
FEATURED DOCKER KIT

The SQLi Killer: Parameterized Queries

The fix isn't filtering. It isn't escaping. Here's why parameterized queries actually stop SQL injection.

sqliparameterized-queriesdatabasepython
Apr 27, 2026 · 2 MIN
34,000+

Redis instances publicly exposed with no authentication

// DID YOU KNOW?
02 // POST
DOCKER KIT

26 Seconds. That's All It Took.

I stood up a honeypot with a default Redis config and exposed it. My first unauthorized connection came in 26 seconds.

redishoneypotrecon
Apr 20, 2026 · 7 MIN
03 // POST
DOCKER KIT

The 3 Lines That Owned the Internal Network

A "fetch by URL" feature. Three lines of backend code. Full access to every internal service. This is what SSRF looks like in the wild.

ssrfwebappsec
Apr 10, 2026 · 9 MIN
04 // POST

The JWT That Let Anyone Be Admin

The algorithm field in a JWT header isn't just metadata. Set it to 'none' and watch the signature check disappear entirely.

jwtauthweb
Apr 5, 2026 · 6 MIN
"If it's smart, it's vulnerable."
— Mikko Hyppönen
05 // POST
DOCKER KIT

SQL Injection in 2026: Still Killing It

Twenty years after its discovery, SQLi is still in the OWASP Top 10. We walked through a live bug bounty target to show you why.

sqliwebappsec
Mar 28, 2026 · 8 MIN
PARTNER

WEB SECURITY ACADEMY

Free. No BS. Learn it by breaking it.

portswigger.net/web-security →
06 // POST
DOCKER KIT

How I Got RCE from a File Upload

rceweb
Mar 15, 2026 · 7 MIN
// TAKE A BREAK

The classic tic-tac-toe game.

YOUR MOVE

YOU: X · CPU: O
07 // POST

The XSS That Stole the Session

A stored XSS in a comment field. A session cookie without HttpOnly. A script that ran silently and sent it all home.

xsswebappsec
Mar 1, 2026 · 5 MIN
// TAKE A BREAK

Shoot things. It helps.

SPACE
SHOOTER
← →MOVE SPACESHOOT
08 // POST
DOCKER KIT

Privilege Escalation: From Nobody to Root

You've got a shell as www-data. Now what? A misconfigured SUID binary, a writable cron job, and five minutes later you're root.

privesclinuxpost-exploitation
Feb 20, 2026 · 10 MIN
09 // POST

Why Your CORS Config Is a Backdoor

Access-Control-Allow-Origin: * on an authenticated API. The browser will stop the request. A script running on evil.com won't.

corswebappsec
Feb 8, 2026 · 6 MIN
10 // POST

The Subdomain That Came Back to Haunt

The team deleted the S3 bucket but forgot the DNS record. Three months later, someone else claimed the bucket and owned the subdomain.

reconcloudappsec
Jan 25, 2026 · 5 MIN