<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Web Security on Vivian's Blog</title><link>https://vvnblog.com/en/tags/web-security/</link><description>Recent content in Web Security on Vivian's Blog</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>Copyright © 2026 Vivian All Rights Reserved.</copyright><lastBuildDate>Fri, 19 Jul 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://vvnblog.com/en/tags/web-security/index.xml" rel="self" type="application/rss+xml"/><item><title>Basic Pentesting of a GraphQL Setup</title><link>https://vvnblog.com/en/posts/graphql-leak-info/</link><pubDate>Fri, 19 Jul 2024 00:00:00 +0000</pubDate><guid>https://vvnblog.com/en/posts/graphql-leak-info/</guid><description>One open Introspection Query let me list the entire GraphQL schema. A real pentest case of a common but costly setup mistake.</description></item><item><title>Secure, HttpOnly, SameSite: The Three Guardians of Your Cookie</title><link>https://vvnblog.com/en/posts/cookie/</link><pubDate>Thu, 23 May 2024 00:00:00 +0000</pubDate><guid>https://vvnblog.com/en/posts/cookie/</guid><description>One badly set cookie is enough for an attacker to pretend to be you. Meet the three lines of defense (Secure, HttpOnly, SameSite) and how to turn them on.</description></item><item><title>How JWT Works</title><link>https://vvnblog.com/en/posts/jwt/</link><pubDate>Thu, 11 Apr 2024 00:00:00 +0000</pubDate><guid>https://vvnblog.com/en/posts/jwt/</guid><description>How does one string split by dots hold up the login for modern websites? Breaking down the three parts of a JWT, and the traps to avoid.</description></item></channel></rss>