AppSec vulnerabilities

A source map (.map) is a build artifact that maps minified bundle code back to the original source, and bundlers embed the full original code in its sourcesContent field. Left reachable in production or shipped inside a package, it hands anyone the unminified codebase, internal comments, hidden API endpoints, auth logic, and any secrets that were compiled in. Discovery is trivial: open DevTools and read the Sources tab, request the bundle's .map URL directly, or Google-dork for ext:map intext:webpack, then reconstruct the whole project with a tool like unwebpack-sourcemap. Passive scanners such as Acunetix and Burp already flag it as a standalone finding. It is usually rated medium on its own but escalates fast when the recovered source contains live credentials or undocumented endpoints; exposed Webpack source maps have leaked hardcoded Stripe secret keys that enabled unauthorized payments. High-profile cases include Apple's App Store web front-end in November 2025, shipped with source maps still enabled, and Anthropic's Claude Code, whose entire TypeScript source leaked via a source map left in a published npm package in March 2026.

GraphQL servers expose three abuse primitives stemming from the query language's flexibility. Leaving introspection enabled lets any client send a __schema query and recover the entire type system, including internal admin mutations and deprecated fields, providing a map of the attack surface (OWASP API8/API2). Because per-request rate limiters count one HTTP request regardless of operations inside it, an attacker can use field aliasing (e.g. attempt0:login(...), attempt1:login(...)) or array batching to pack dozens of login or verifyOtp mutations into a single request, brute-forcing credentials or short OTP/2FA codes while the rate limiter sees only one request; this aliasing-bypass technique is reproduced in the PortSwigger Web Security Academy 'Bypassing GraphQL brute force protections' lab and Wallarm's GraphQL batching research. Deeply nested or recursive queries cause an exponential explosion of resolver and database calls, exhausting CPU, memory and connection pools for denial of service, the core of OWASP API4:2023 Unrestricted Resource Consumption. HackerOne has disclosed a real GraphQL authentication-bypass finding, and Apollo Server v4 disabled array batching by default in response to these attacks.

A business-logic race condition exploits the brief window between a check on shared state and the act that mutates it (time-of-check to time-of-use), letting concurrent requests each pass the same check before any of them commits, so a limited resource is consumed more times than allowed (OWASP API6:2023, Unrestricted Access to Sensitive Business Flows). The vulnerable code is any check-then-act sequence on shared state without atomic database-level locking: validate a single-use coupon or gift card then redeem it, check a balance then withdraw or transfer, or verify a one-per-user limit then grant. Firing many near-simultaneous requests collapses the state machine and redeems one coupon multiple times, withdraws the same balance twice, or bypasses a per-user cap. James Kettle's 'Smashing the state machine: the true potential of web race conditions' (PortSwigger, published 9 August 2023, presented at Black Hat USA and DEF CON 31) introduced the single-packet attack, which withholds the final HTTP/2 frames of 20-30 requests and releases them in one TCP packet, neutralizing network jitter and squeezing arrivals into a sub-millisecond window so the race becomes reliably exploitable.

nOAuth, disclosed by Descope's security team on June 20, 2023 (reported to Microsoft on April 11, 2023), is a cross-tenant account-takeover class in multi-tenant Microsoft Entra ID (Azure AD) OAuth applications, mapping to OWASP API2:2023 Broken Authentication. The flaw existed because Entra ID emitted an 'email' claim in the OIDC token that was both mutable and unverified, while applications used that email rather than the immutable 'sub'/'oid' claim to identify and link the signed-in user. An attacker who controlled their own Entra tenant could set the email attribute of an attacker account to a victim's email address, then use 'Log in with Microsoft' against any vulnerable app; the app merged accounts by the spoofed email and granted full control of the victim's account, requiring no interaction from the victim. Descope confirmed real exposure in major SaaS apps including a design platform with millions of monthly users. Microsoft mitigated by no longer emitting unverified email claims by default for app registrations created after June 2023 and added the xms_edov claim and a RemoveUnverifiedEmailClaim flag.

On January 19, 2023 T-Mobile disclosed in an SEC 8-K filing that an attacker had abused a single API to obtain data on roughly 37 million current postpaid and prepaid customer accounts, with access beginning on or around November 25, 2022 and continuing about six weeks until detection on January 5, 2023 and cutoff a day later. The exposed fields included names, billing addresses, emails, phone numbers, dates of birth, account numbers, and plan features; T-Mobile stated no passwords, payment card data, Social Security numbers, or government IDs were taken. T-Mobile only stated that a bad actor obtained data through a single API without authorization, without publishing the low-level mechanism; the security-community consensus reconstruction is Broken Object Level Authorization (BOLA/IDOR), where the API returned per-customer records without verifying the caller was authorized for that specific object, letting the attacker walk through customer identifiers at scale. The mechanism maps to BOLA via a user-controlled key, or, if the endpoint lacked authorization entirely, to missing authorization.

On January 3, 2023 Sam Curry and a team of researchers published Web Hackers vs. The Auto Industry, documenting critical API authorization flaws across about 16 automakers including Kia, Hyundai, Honda, Nissan, Acura, Infiniti, BMW, Ferrari, Porsche, Rolls Royce and Mercedes-Benz, plus telematics providers such as SiriusXM Connected Vehicle Services and Spireon. The connected-car APIs treated the VIN, which is visible through the windshield and effectively public, as an object identifier without verifying the caller actually owned the vehicle, a Broken Object Level Authorization flaw. Using only a target VIN, researchers could enroll a vehicle to an attacker account or bypass ownership checks and then remotely unlock, start, locate, honk, and track vehicles, achieving full account takeover. Several manufacturers also had Broken Function Level Authorization and misconfigured SSO/OTP endpoints exposing internal dealer portals. The work maps to OWASP API1:2023 (BOLA) and API5:2023 (BFLA).

On September 22, 2022 Australian telco Optus disclosed a breach exposing the personal data of around 9.8 million current and former customers (the figure regulators later litigated as approximately 9.5 million), including names, dates of birth, addresses, phone numbers, email addresses, and passport, driver licence and Medicare numbers. The data was served by an internet-facing API endpoint (api.www.optus.com.au) that required no authentication, and customer records were keyed by a sequential, enumerable contactid. An attacker could iterate the identifier (contactId + 1) with a simple script and pull every customer record, combining broken/missing authentication with Broken Object Level Authorization via a user-controlled key. The ACMA alleged an access-control coding error introduced around 2018 weakened the API; Optus fixed the same flaw on its main domain in August 2021 but never on the exposed sub-domain. Regulators characterised the attack as not highly sophisticated.

Improper Inventory Management is the failure to maintain a complete, current inventory of deployed API hosts, versions and endpoints, leaving undocumented 'shadow' APIs and deprecated-but-still-running 'zombie' APIs reachable (OWASP API9:2023). The mechanism is divergence between what is documented or patched and what is actually exposed: an old /v1 left online after /v2 ships, a debug or staging host, or an unretired beta keeps serving traffic while lacking the authentication, authorization, rate limiting and security fixes of the current version, so an attacker who enumerates version paths or subdomains by guessing, fuzzing or brute force targets the weakest exposed surface. Salt Security research indicates a large share of deployed APIs do not match their documentation. The canonical case is the September 2022 Optus breach in Australia: an unauthenticated API endpoint exposed on a secondary/older domain, where an access-control fix applied to the main site was never propagated, remained reachable and leaked PII for roughly 9.5 million customers.

In February 2022, a researcher known as Tree of Alpha reported a business-logic flaw in Coinbase's Retail Advanced Trading API through HackerOne, earning a $250,000 bounty that Coinbase described as its largest ever. Coinbase stated the underlying cause was a missing logic validation check in a Retail Brokerage API endpoint that allowed a user to submit trades to a particular order book using a mismatched source account. Because the order-validation logic never verified that the named source account actually held the asset being sold, a user could place sell orders for a cryptocurrency they did not own; the reproduction example sold one asset while sourcing it from an account holding a different token. This maps to OWASP API6:2023 Unrestricted Access to Sensitive Business Flows, an improper-validation business-logic error rather than a missing cryptographic or session control. Coinbase reproduced the bug, halted retail advanced trading into cancel-only mode within an hour of the report, and validated a patch the same day.

Path traversal (and its include-side variant, Local File Inclusion) occurs when an application builds a filesystem path from user input without canonicalizing and validating it, so sequences like ../ or their URL-encoded forms (%2e%2e%2f) walk out of the intended base directory to read or include arbitrary files such as /etc/passwd or application source. The root cause at the code level is concatenating untrusted input into a path and resolving it before checking that the final canonical path stays within an allowed root. CVE-2021-41773, disclosed 5 October 2021 and rated CVSS 9.8, was a path traversal in Apache HTTP Server 2.4.49 caused by a flawed change to URL path normalization that failed to decode and reject encoded dot-segments; requests mapping outside Alias-configured directories disclosed files, and where mod_cgi was enabled it escalated to remote code execution. It was mass-exploited in the wild within days and the incomplete 2.4.50 fix led to CVE-2021-42013. This class maps to OWASP A01:2021 Broken Access Control.

On May 5, 2021 Pen Test Partners researcher Jan Masters and TechCrunch publicly disclosed that Peloton's API exposed the private account data of its users, having been reported privately to Peloton on January 20, 2021. The API had endpoints, including a workout-details POST endpoint, a user-search GET endpoint, and GraphQL endpoints, that performed no authorization checks: unauthenticated requests returned account data such as user IDs, location/city, age, gender, weight, workout statistics, birthday, and group/studio attendance, even for users who had set their profiles to private, because the privacy flag was not enforced at the API layer. This is a missing/insufficient-authorization flaw on an API serving over 3 million subscribers' data. A partial fix on February 2, 2021 only restricted the API to authenticated Peloton members, so anyone willing to create an account could still pull any other user's private data until the full fix around early May.

On 28 April 2021 KrebsOnSecurity reported that researcher Bill Demirkapi had found an unnamed student-loan lender's website performing credit checks via the Experian Connect API in a way that exposed the credit scores of tens of millions of Americans. The lender's loan-eligibility form took only a consumer's first name, last name, mailing address, and date of birth and used them to query Experian's API for an automated FICO lookup. The API enforced no meaningful authentication, and entering all zeros in the date-of-birth field still returned a result, so in practice only a name and address were required. For each consumer the API returned the credit score plus up to four 'risk factors' explaining why the score was not higher, which Demirkapi automated into bulk lookups. This maps to OWASP API2 Broken Authentication (no real auth on the endpoint, defeated by the date-of-birth bypass) combined with Excessive Data Exposure. Contrary to some accounts, no client-side API key was leaked; the flaw was missing authentication, not a leaked credential. Experian fixed the specific endpoint, while Demirkapi warned other lender integrations remained unsecured.

OS command injection occurs when user-controlled input reaches a function that spawns an operating-system shell, so shell metacharacters such as ; | & $() or backticks let an attacker append or substitute their own commands; calling a shell-interpreting API like system(), exec with shell=true, or backticks on a string built from input executes the injected command with the server process's privileges. It maps to OWASP A03:2021 Injection (CWE-78). A landmark mass-exploited case is GitLab CVE-2021-22205, disclosed April 14, 2021: GitLab passed uploaded images to ExifTool, whose mishandling of malicious DjVu metadata (CVE-2021-22204) allowed command injection. Rescored to CVSS 10.0 once confirmed unauthenticated, it gave remote code execution as the git user and was widely exploited in the wild, including for botnets, cryptomining, and ransomware staging.

Between 9 and 11 January 2021, as Parler was being deplatformed from Apple's App Store, Google Play and AWS following the 6 January Capitol riot, archivists led by the researcher known as donk_enby scraped roughly 99.9% of the platform before it went offline, capturing on the order of 70 TB of data including about 1.1 million videos along with public posts, photos and user data. Parler exposed API endpoints that served public posts and raw media without requiring any authentication, and post and object identifiers were sequential, so the archivists simply incremented IDs to enumerate and harvest the entire site. There was no rate limiting, allowing high-speed bulk extraction, and media files were served raw with EXIF and GPS metadata intact, while deleted posts were only flagged as deleted rather than removed and remained retrievable. The core flaw maps to OWASP API1 Broken Object Level Authorization (sequential IDs with no authorization check) combined with API4 Unrestricted Resource Consumption from the missing rate limiting, with Excessive Data Exposure in the unstripped media metadata.

Insecure deserialization occurs when an application reconstructs objects from attacker-controlled serialized data without validating it, so the deserializer instantiates arbitrary types and invokes their lifecycle/magic methods (Java readObject, .NET ISerializable/SetObjectData, PHP __wakeup); attackers chain these side effects through pre-existing library classes, or gadget chains, to reach a sink that executes code without the application ever calling a dangerous function directly. It maps to OWASP A08:2021 Software and Data Integrity Failures (CWE-502). The 2015 disclosure by Chris Frohoff and Gabriel Lawrence ('Marshalling Pickles') and the ysoserial tool weaponized Apache Commons Collections gadget chains via InvokerTransformer, exposing thousands of Java apps. A landmark exploited case is Telerik UI for ASP.NET AJAX CVE-2019-18935 (CVSS 9.8), a .NET deserialization flaw in the RadAsyncUpload component that CISA reported (AA23-074A) was used by threat actors to breach a US federal civilian agency's IIS server between November 2022 and January 2023.

On 8 August 2019 Pen Test Partners (researcher Alex Lomas) publicly disclosed that the 3fun dating app, which claimed about 1.5 million users, was leaking the precise location and private profile data of its users. The app collected real-time GPS coordinates and let users hide their location, but that privacy setting was enforced client-side only, hidden purely in the mobile app interface. The server's API endpoint still returned each user's exact latitude and longitude plus private profile data including dates of birth, sexual preferences, chat information and private photos stored in Amazon S3, regardless of the user's privacy settings. Because an attacker could spoof arbitrary coordinates and read raw coordinates directly from the response, no trilateration was even necessary, and Pen Test Partners located users at the White House, US Supreme Court and 10 Downing Street. This is a classic Excessive Data Exposure flaw, the read side of Broken Object Property Level Authorization (OWASP API3:2023), where the server returns sensitive object properties the client should never receive and relies on the client to filter them. 3fun pushed a fix roughly a week after notification.

HTTP request smuggling (desync) happens when a front-end proxy and a back-end server reuse a TCP connection but disagree on where one HTTP request ends and the next begins, usually because one trusts the Content-Length header and the other trusts Transfer-Encoding: chunked. In a CL.TE attack the front-end uses Content-Length while the back-end uses Transfer-Encoding, so bytes the front-end considers part of the body are parsed by the back-end as the start of a second request; TE.CL is the inverse, often achieved by obfuscating the Transfer-Encoding header so only one server honors it. The smuggled prefix poisons the shared socket and is prepended to the next user's request, enabling cache poisoning, request hijacking, credential capture, and security-control bypass. James Kettle (PortSwigger) reintroduced and weaponized this class in 'HTTP Desync Attacks: Request Smuggling Reborn,' presented at Black Hat USA on 7 August 2019, with documented bounties against PayPal and others. The root cause is ambiguous message-boundary parsing across a server chain; CWE-444.

Server-Side Request Forgery occurs when an API fetches a remote resource using a user-supplied URL without validating it, so the server is coerced into issuing requests to attacker-chosen destinations (OWASP API7:2023). The vulnerable pattern appears wherever an API accepts a URL it will dereference server-side: webhook targets, link preview/unfurl, import-from-URL, PDF or image rendering, and profile-picture fetch. Because the request originates from inside the trust boundary, an attacker can reach internal-only services, perform port scanning via response-timing differences, or hit the cloud instance metadata endpoint at 169.254.169.254 to exfiltrate the instance role's temporary credentials. The canonical impact is the July 2019 Capital One breach, where an SSRF flaw in a WAF component was used to query the EC2 IMDSv1 metadata service, steal the WAF role credentials, and read about 106 million records from S3; AWS shipped IMDSv2 in November 2019 partly in response. Modern bug-bounty SSRF-to-metadata cases follow the same mechanism.

Prototype pollution is a JavaScript-specific flaw where attacker-controlled keys such as __proto__, constructor, or prototype reach a recursive object-merge, clone, or path-set operation that writes to Object.prototype instead of an own property, so the injected property silently appears on every object in the runtime. The code-level mechanism is an unsafe deep-merge that recurses on keys without checking for these magic names, for example assigning target[key] when key is __proto__; this enables denial of service, property injection that flips security flags, and gadget chains to remote code execution. CVE-2019-10744 (published 25 July 2019, CVSS 9.1) affected lodash before 4.17.12: its defaultsDeep could be tricked with a payload nesting constructor.prototype because the safe-get path did not block the constructor key, polluting Object.prototype globally. A related real exploit, CVE-2019-7609 in Kibana's Timelion, chained prototype pollution via __proto__ to set Node child_process options and achieve full remote code execution. Prototype pollution maps to CWE-1321.

In 2019, researcher Laxman Muthiyah found an account-takeover flaw in Instagram's mobile password-recovery flow, which Facebook rewarded with a $30,000 bounty, mapping to OWASP API4:2023 Unrestricted Resource Consumption combined with broken authentication. The flow sent a six-digit recovery code to the user's phone, giving only 1,000,000 possible values, and its rate limiting was insufficient to stop high-volume guessing. Muthiyah observed that of 1,000 codes submitted from one IP, about 250 were processed while the rest were throttled, so per-IP limits alone did not cap total attempts. By combining a race condition with IP rotation, he sent roughly 200,000 concurrent requests from 1,000 different IP addresses and estimated about 5,000 IPs would suffice to cover the full code space within the 10-minute validity window, brute-forcing the code and taking over any account. The core defect was the absence of an effective global lockout tying failed attempts to the targeted account rather than only the source IP.

On 24 May 2019 KrebsOnSecurity disclosed that First American Financial Corp. had exposed roughly 885 million mortgage and title records dating back to 2003, including Social Security numbers, bank account numbers and statements, wire transaction receipts, mortgage and tax records, and driver's license images. The records were served by First American's EaglePro document system at sequential URLs containing a nine-digit document reference number. No authentication of any kind was required, so anyone holding a single valid link could simply increment or decrement the document number in the URL to retrieve any other customer's document. This is a textbook Broken Object Level Authorization / IDOR flaw (OWASP API1) compounded by complete Broken Authentication (OWASP API2), with a user-controlled object identifier and no authorization or login check. The defect was introduced in a May 2014 software update and was flagged by First American's own penetration test in January 2019 but left unremediated; researcher Ben Shoval reported it after the company failed to respond. New York DFS later brought a cybersecurity enforcement action (settled for $1 million) and the SEC settled disclosure-controls charges for $487,616.

On November 21, 2018 Krebs on Security reported that a USPS Informed Visibility API had exposed account data on roughly 60 million usps.com users, after a researcher's warning had gone unanswered for over a year until USPS fixed it on November 20, 2018. The API enforced authentication but no object-level authorization: any logged-in usps.com account holder could query the account details of any other user, and the same promiscuous endpoint allowed requesting account changes such as email, phone number, and other details for arbitrary users. Many API features also accepted wildcard search parameters, so a single query could return entire data sets at once. Exposed fields included email address, username, user ID, account number, street address, phone number, authorized users, and mailing-campaign data. This is a Broken Object Level Authorization / IDOR flaw with a missing-authorization root cause: authentication was checked but authorization on the target object was not.

On September 28, 2018 Facebook disclosed that attackers had stolen access tokens by exploiting its View As feature; an initial estimate of nearly 50 million affected accounts was revised on October 12, 2018 to about 30 million whose tokens were actually stolen (roughly 29 million had data accessed). The root cause was a business-logic flaw chaining three bugs in the read-only View As profile preview: a video-uploader composer added in July 2017 wrongly appeared in that view, it incorrectly minted an access token at all, and critically it minted the token for the user being viewed rather than the viewer, embedding that token in the page HTML. An attacker could therefore select View As a target and scrape a fully privileged token for the target account, then pivot through friend lists to harvest tokens outward from roughly 400,000 seed accounts. The flaw is an improper-authentication / business-logic failure where an auth credential was generated in the wrong context and scoped to the wrong principal.

Unrestricted file upload occurs when an application accepts an uploaded file without validating its type or content and stores it inside a web-accessible directory where the server will execute it, letting an attacker upload a script such as a .php or .jsp webshell and request it to run arbitrary code as the web user. At the code level the flaw is trusting client-supplied data (the filename extension or the Content-Type header) instead of verifying actual content, and saving to an executable path; weak filters are also bypassable, for example a regex without an anchoring $ or extension checks that ignore trailing characters. CVE-2017-12615 (disclosed 19 September 2017) is a documented case: Apache Tomcat 7.0.0 to 7.0.79 on Windows with the Default servlet's readonly parameter set to false allowed HTTP PUT uploads, and appending a trailing slash like shell.jsp/ bypassed the extension check, writing a JSP that Tomcat then executed for full remote code execution. This class maps to OWASP A04:2021 Insecure Design and overlaps A05 Security Misconfiguration; CWE-434.

SQL injection occurs when untrusted user input is concatenated directly into a SQL statement so attacker-supplied characters break out of the intended data context and are parsed as SQL syntax; for example string-building a query like SELECT * FROM users WHERE id='" + input + "' lets input such as ' OR '1'='1 or '; DROP TABLE-- alter the query's logic, dump arbitrary tables via UNION SELECT, or chain to OS access through database stored procedures. It maps to OWASP A03:2021 Injection (CWE-89). In the October 2015 TalkTalk breach, attackers used SQLMap against three unpatched legacy Tiscali web pages to exfiltrate personal data of 156,959 customers, including 15,656 bank account numbers and sort codes, drawing a then-record GBP 400,000 ICO fine. The 2008 Heartland Payment Systems breach also began with SQL injection and exposed roughly 130 million payment cards, and CVE-2023-34362 in MOVEit Transfer (2023) was a mass-exploited SQL injection used by the Cl0p group.

Server-side template injection occurs when user input is concatenated into a template that is then evaluated by a server-side engine, so the input is parsed as template directives rather than data; because engines like Jinja2, Twig, FreeMarker, and Velocity expose object introspection, a payload such as {{7*7}} returning 49 confirms evaluation, and attackers then walk the object graph (for example Jinja2's class/mro/subclasses chain or Java reflection in FreeMarker) to reach runtime classes and achieve remote code execution. It maps to OWASP A03:2021 Injection (CWE-1336 / CWE-94). The vulnerability class was formalized and named by James Kettle of PortSwigger in his Black Hat USA 2015 research 'Server-Side Template Injection: RCE for the Modern Web App,' which demonstrated automated detection and engine-specific SSTI-to-RCE exploitation, and it has since produced numerous documented bug-bounty RCE findings against major applications.

JWT algorithm confusion is an authentication-bypass class affecting servers that trust the attacker-controlled 'alg' field in a token's header to choose how the signature is verified, mapping to OWASP API2:2023 Broken Authentication. When a library exposes a single algorithm-agnostic verify call, setting alg to 'none' makes it accept a token with an empty signature and skip verification entirely, as Tim McLean documented across multiple libraries in a 2015 Auth0-coordinated disclosure. In the RS256-to-HS256 variant, a server expecting asymmetric RS256 passes its RSA public key to verify, but an attacker flips the header to HS256 so the library reuses that same public key as the HMAC secret; because the public key is not secret, the attacker can forge and HMAC-sign an arbitrary admin payload that validates. CVE-2015-9235 (CVSS 9.8) captured exactly this in node jsonwebtoken before 4.2.2, where a token signed with an HS-family algorithm was accepted in place of one expected to use an RS/ES asymmetric key. PortSwigger's Web Security Academy documents both the 'none' and RS256/HS256 confusion techniques as practical authentication-bypass labs.

XML External Entity (XXE) injection occurs when an application parses attacker-controlled XML with a parser that resolves external entities and DTDs, an unsafe default in many libraries such as Java's DocumentBuilderFactory, PHP's libxml, and .NET's XmlDocument. By declaring a DOCTYPE with an external entity such as one pointing at file:///etc/passwd and referencing it in the document body, the parser dereferences the URI and embeds the result into the parsed output, letting an attacker read local files, perform SSRF against internal services via http entities, or trigger denial of service through recursive entity expansion (the 'billion laughs' attack). In November 2013 Reginaldo Silva reported an XXE in Facebook's OpenID/Drupal handler that returned the contents of /etc/passwd and was treated as a path to remote code execution; Facebook patched it within hours and paid a then-record $33,500 bounty (disclosed January 2014). This class falls under OWASP A05:2021 Security Misconfiguration, which explicitly maps CWE-611.

On March 4, 2012 security researcher Egor Homakov demonstrated a mass-assignment flaw against GitHub itself, having days earlier been dismissed when he warned the Rails core team about the issue. GitHub's Rails controllers passed request parameters straight into ActiveRecord models via update_attributes with no attribute allowlist, so any extra form field was bound to the model. By adding an unexposed public_key user_id field set to 4223 (the rails organization's user id) while uploading his own SSH key, Homakov reassigned ownership of his key to the rails/rails organization, giving himself commit access, and pushed a proof-of-concept commit. This is a textbook mass-assignment / over-posting vulnerability where the model bound a sensitive attribute the form never rendered. GitHub briefly suspended his account, then reinstated it after confirming no malicious intent, and tightened mass-assignment protection across the platform.

Cross-site scripting occurs when an application places untrusted input into HTML, JavaScript, or DOM contexts without context-aware encoding, so the browser parses attacker-controlled characters as executable script rather than inert text; the three forms are stored (payload persisted server-side and served to other users), reflected (payload echoed back in the immediate response), and DOM-based (client-side JavaScript writes input into a sink like innerHTML or document.write). Running in the victim's session, the script can steal cookies, forge requests, or rewrite the page. It maps to OWASP A03:2021 Injection (CWE-79). The October 4, 2005 Samy worm exploited a stored XSS flaw in MySpace profiles, and within 20 hours over one million users had run its self-propagating payload, the fastest-spreading worm at the time. The high-impact modern form is Magecart card skimming, as in the 2018 British Airways breach where injected payment-page JavaScript skimmed around 400,000 customers' card details and led to a GBP 20 million ICO fine.