Traces the honeypot technique family used to catch automation cheaply: hidden form fields, off-screen decoy links, and submission-timing checks, plus why each one fails against a browser-driving bot and where the false positives hide.
Traces the failure modes that let a few visitors carry more than their share of queue slots: token replay, time-of-check race conditions at admission, and the multi-tab arithmetic that turns one cleared spot into many.
Traces how Certificate Transparency turns CA mis-issuance into a public, append-only Merkle-tree record: SCTs, the gossip and audit model, how browsers enforce it, and why the same logs hand attackers a free subdomain map.
Traces how certificate revocation works on the web: CRLs, the OCSP request/response, stapling in the TLS handshake, must-staple, the privacy leak of plain OCSP, and why Let's Encrypt shut its responders off in 2025.
Traces how Mozilla, Apple, Microsoft, and Chrome curate the root CAs that anchor every HTTPS connection, the governance machinery behind inclusion and removal, and the Symantec, TrustCor, and Entrust distrust events that show the system enforcing itself.
Traces what a CDN actually puts in its cache key, how unkeyed headers and parser discrepancies turn a shared cache into an exploit delivery system, and the defenses that hold up against poisoning and deception.
Traces how the internet's routing protocol came to trust whatever it is told, the incidents that exploited that trust from 1997 to today, and the RPKI, ROV, and MANRS work trying to close the gap.
Traces two targeted BGP hijacks that stole cryptocurrency: the 2018 Amazon Route 53 attack on MyEtherWallet and the 2022 KlaySwap incident, and how a short hijack plus a fraudulent certificate intercepts HTTPS traffic.
Traces how proxies append to the X-Forwarded-For and Forwarded chains, why the client-facing end is trivially spoofable, how trusted-proxy and rightmost-IP resolution actually works, and the security bugs that follow from getting it wrong.
A reference on application-layer DDoS: why HTTP floods are measured in requests per second, how they diverge from L3/L4 volumetric attacks, why they are cheap to mount and hard to filter, and what actually stops them.
Traces how a request-then-RST_STREAM loop in HTTP/2 sidestepped the concurrency limit that was supposed to bound per-connection work, set DDoS records at 398 and 201 million requests per second, and forced a round of server patches.
Traces the algorithms behind server-side rate limiting as an abuse defense: fixed and sliding windows, the log-versus-counter tradeoff, token and leaky buckets, GCRA, and how Redis enforces them across a fleet.
Traces the low-bandwidth slow attacks: Slowloris, slow POST (RUDY), and slow read, how each pins a worker thread on thread-per-connection servers, why event-driven servers shrug them off, and what actually times them out.
Traces how credential stuffing works at the concept level: password reuse as the root cause, combo lists built from breach dumps, the one-to-three-percent success rate offset by scale, and why it is a different attack from brute force.
Traces the tooling and economics that turn a breach dump into validated accounts: combo lists and stealer logs, OpenBullet-style configs, residential proxy networks, CAPTCHA-solver farms, and the division of labor underneath.
Traces how stolen and generated card numbers get validated at scale: the BIN-enumeration pattern, the micro-authorization probe, the bot infrastructure behind it, and the merchant- and network-side signals that catch it.
Traces gift-card balance-checking bots like GiftGhostBot and loyalty-point theft: the enumeration and account-takeover patterns behind them, why the endpoints are soft targets, and why the whole category stays under-reported.
Traces how Anubis gates HTTP requests behind a browser-solved SHA-256 proof-of-work puzzle: the challenge construction, the JWT cookie, the Mozilla heuristic, the FOSS adoption wave, and why native solvers undercut it.
A reference on web application firewalls: positive vs negative security models, signature and parser-based matching, the CRS anomaly-scoring system and its paranoia levels, where a WAF sits in the request path, and how false positives get tuned away.
Traces why signature-based WAFs are bypassable in principle: encoding and normalization gaps, payload fragmentation, parser differentials between the firewall and the backend, and the structural case for positive security.
A reference deep dive into the OWASP Core Rule Set: its rule categories, the anomaly-scoring model, paranoia levels, the ModSecurity and Coraza engines that run it, and how the project got here.
Traces how HTTP/1.1's two ways of measuring a request body let a front-end and back-end disagree on where one request ends, how CL.TE and TE.CL desync turns that into socket poisoning, and what actually fixes it.
Traces how HTTP/2-to-HTTP/1.1 downgrading reintroduces request smuggling through H2.CL and H2.TE desync, why a binary length field stops protecting the message the moment an edge rewrites it, and what 2025 research showed is still unfixed.
Traces how server-side request forgery reaches the EC2 metadata endpoint at 169.254.169.254, how that exact chain exposed 106 million Capital One records in 2019, and how IMDSv2's session-token design closes the door.