https://blog.abhipraya.dev/tags/owasp/Recent content in Owasp on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaWed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-security/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks of security work that span the whole stack. Week 1 (2-8 Apr) closed two OWASP A01 (Broken Access Control) gaps — one in our own code, one caught during a teammate&rsquo;s code review — and added Sentry observability to Celery tasks so background job failures stop disappearing silently. Week 2 (9-15 Apr) patched a high-severity axios SSRF (GHSA-3p68-rc4w-qgx5) that <code>pnpm audit</code> caught in a routine MR pipeline. The pattern across the two weeks: fix boundaries in our own code, and keep dependencies patched via automated audit.</p>https://blog.abhipraya.dev/ppl/part-b/s2w2-security/Mon, 30 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w2-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two security-relevant features merged this week that directly address OWASP Top 10 vulnerabilities: blocking inactive accounts from authenticating (SIRA-215) and enforcing session limits with proper invalidation (SIRA-214). SAST results are now also surfaced automatically on every MR via the CI report system.</p> <hr> <h2 id="owasp-a07-authentication-failures"> <a class="anchor" href="#owasp-a07-authentication-failures" data-anchor="owasp-a07-authentication-failures" aria-hidden="true">#</a> OWASP A07: Authentication Failures </h2> <p>OWASP A07 covers broken authentication, including cases where deactivated or suspended accounts can still access the system. Before SIRA-215 (MR !104), deactivating a user in the admin panel only prevented login via the UI — a valid JWT issued before deactivation still passed every auth check.</p>https://blog.abhipraya.dev/ppl/part-b/s1w3-security/Fri, 13 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s1w3-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week addressed four security areas: JWT algorithm validation hardening (reviewed MR !63), encryption key management in CI (MR !68), client PII encryption in the database seeder (reviewed MR !80), and ongoing SAST scanning via the CI pipeline.</p> <h2 id="jwt-algorithm-validation-preventing-algnone-attacks"> <a class="anchor" href="#jwt-algorithm-validation-preventing-algnone-attacks" data-anchor="jwt-algorithm-validation-preventing-algnone-attacks" aria-hidden="true">#</a> JWT Algorithm Validation: Preventing alg:none Attacks </h2> <p>MR !63 (by adipppp, which I reviewed) hardened the JWT decoding logic against the <strong>alg:none attack</strong>, one of the most well-known JWT vulnerabilities (OWASP A07:2021, Identification and Authentication Failures).</p>