web-security

PolyRange is a new open-source benchmark for evaluating offensive AI capabilities on web targets, designed to resist contamination by generating fresh tasks per deployment and including active defense tiers.

The article explains how a single XSS vulnerability can defeat the phishing-resistance of passkeys when attestation is set to 'none', allowing attackers to register their own passkeys and achieve persistent account takeover. It calls for attention to this overlooked threat and suggests defenses.

Open-sourced yao-websecurity-skill, an AI-based website security audit skill. It includes 275 security checks, supports static and dynamic audit modes, and automatically generates security scoring reports to help developers discover and fix security risks.

A web tool experiment demonstrating how to handle Content Security Policy errors in sandboxed iframes by intercepting fetch requests and prompting users to whitelist domains. The tool was built using GPT-5.5 via the Codex desktop app.

The author explains that their blog is blocking requests from old or suspicious browser user agents to mitigate a surge in high-volume crawlers, likely for LLM training data. Specific instructions are provided for users of Vivaldi and Inoreader to adjust settings or report issues.

This article details the discovery and disclosure of CVE-2025-5518 (React2Shell), a critical remote code execution vulnerability in React Server Components, explaining how researchers bypassed Flight protocol validations to access object prototypes.

Datasette PR #2689 replaces token-based CSRF protection with Sec-Fetch-Site header-based protection, inspired by Go 1.25 and Filippo Valsorda's research, simplifying CSRF handling by eliminating the need for hidden form tokens.