Pentrova Blog

How to prevent SQL injection: a developer's guide for 2026

Pentrova Engineering — Sat, 30 May 2026 00:00:00 GMT

SQL injection is still exploitable in 2026. Here is how it works, why parameterized queries are the real fix, and how to verify your app is actually safe.

IDOR vs BOLA: the difference and how to test for both

Pentrova Research — Thu, 28 May 2026 00:00:00 GMT

IDOR and BOLA describe the same broken-access-control failure from different angles. Here is the precise difference and how to test for both.

SSRF in 2026: exploiting cloud metadata and how to prevent it

Pentrova Research — Tue, 26 May 2026 00:00:00 GMT

Server-side request forgery still leads to cloud credential theft in 2026. How SSRF reaches the metadata service, why IMDSv2 helps, and how to prevent it.

What is PTaaS? Penetration Testing as a Service explained

Pentrova Research — Sun, 24 May 2026 00:00:00 GMT

PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.

Continuous penetration testing: what it is and how to implement it

Pentrova Research — Fri, 22 May 2026 00:00:00 GMT

Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.

OWASP API Security Top 10 (2023): a practical guide with testing notes

Pentrova Research — Wed, 20 May 2026 00:00:00 GMT

A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.

A day in the life of Pentrova: from confirmed chain to merged fix

Pentrova Engineering — Mon, 18 May 2026 00:00:00 GMT

Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.

Where AI helps in a pentest — and where only evidence is allowed to decide

Pentrova Research — Fri, 15 May 2026 00:00:00 GMT

Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.

From CVSS to evidence: why severity scores are not a triage oracle

Pentrova Research — Tue, 12 May 2026 00:00:00 GMT

CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.

Attack-chain taxonomy 101: the five classes Pentrova organises coverage around

Pentrova Engineering — Fri, 08 May 2026 00:00:00 GMT

Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.

OpenAPI lint: the missing security scheme that makes every endpoint look public

Pentrova Research — Tue, 05 May 2026 00:00:00 GMT

The most common OpenAPI mistake is a perfectly described API with no security scheme on any operation. Here is why it matters and how to fix the drift.

Choosing targets for your first Pentrova scan: environment, application, and scope

Pentrova Research — Tue, 28 Apr 2026 00:00:00 GMT

A practical guide to picking the right application, environment, and scope for your first deterministic pentest — and what a good first report looks like.

Race condition testing playbook: finding TOCTOU bugs with burst traffic

Pentrova Engineering — Tue, 21 Apr 2026 00:00:00 GMT

A pragmatic race-condition testing playbook: identify state invariants, baseline a single request, fire a coordinated burst, and diff against the baseline.

Authorization Matrix walkthrough: finding BOLA in a real API

Pentrova Research — Tue, 14 Apr 2026 00:00:00 GMT

A step-by-step walkthrough of how the Authorization Matrix models roles, captures reference responses, and flags cross-tenant BOLA leaks.

XXE to SSRF via DOCTYPE: exploiting and preventing XML external entity attacks

Pentrova Research — Tue, 07 Apr 2026 00:00:00 GMT

XML external entity injection does not stop at file reads. Here is how the XXE-to-SSRF chain works through DOCTYPE and how to prevent it.

Verifier internals: the three stages that close the proof loop

Pentrova Research — Tue, 31 Mar 2026 00:00:00 GMT

A walk through the three-stage verifier that turns a candidate exploit into a replayable, hash-verified PoC bundle: clean-session replay, byte diff, bundle.

Canary patterns for window.name: tracking an overlooked DOM XSS source

Pentrova Engineering — Tue, 24 Mar 2026 00:00:00 GMT

window.name persists across navigations, making it a sneaky DOM XSS taint source. Here are the canary patterns that track it from ingress to sink.

CI-gated pentest runbook: moving from quarterly tests to release-gated chains

Pentrova Research — Tue, 17 Mar 2026 00:00:00 GMT

A pragmatic runbook for moving from quarterly penetration tests to continuous, release-gated exploit chains — scope, gating rules, and ownership.

Why our sandbox never destructively exploits: proof without harm

Pentrova Engineering — Tue, 10 Mar 2026 00:00:00 GMT

Proving a system is vulnerable should never require breaking it. Here is how Pentrova's sealed sandbox demonstrates real impact without destructive actions.

Verifier design notes: why the smallest component decides what is a finding

Pentrova Engineering — Tue, 03 Mar 2026 00:00:00 GMT

The verifier is the smallest component that decides whether a chain is a finding. Here is why minimal surface area is the right design for a trust boundary.

Curated vs dynamic attack chains: two ways to compose impact, one evidence bar

Pentrova Research — Tue, 24 Feb 2026 00:00:00 GMT

Pentrova's curated escalation catalog and the dynamic chains it builds at scan time are held to the same evidence standard. Here is how they differ and combine.

Log4Shell chain replay: confirming CVE-2021-44228 with an out-of-band callback

Pentrova Engineering — Tue, 17 Feb 2026 00:00:00 GMT

How to confirm Log4Shell (CVE-2021-44228) with an out-of-band DNS callback instead of a pattern match, and replay the follow-on escalation chain safely.

BOLA hunting in microservices: how to find broken object-level authorization at scale

Pentrova Research — Tue, 10 Feb 2026 00:00:00 GMT

Broken object-level authorization (BOLA) only appears when two roles touch the same object. Here is how multi-role replay catches it at scale.

Canary-based taint tracking for DOM XSS: catching client-side bugs static analysis misses

Pentrova Research — Tue, 03 Feb 2026 00:00:00 GMT

How canary-based taint tracking tags every DOM ingress channel and watches a broad sink surface to catch DOM XSS that static analysis and reflection scans miss.

Compliance-mapped reports for HIPAA evidence collection

Pentrova Engineering — Tue, 27 Jan 2026 00:00:00 GMT

Replacing probability-scored findings with replayable PoC bundles shortens HIPAA and HITRUST evidence collection from weeks to days. Here is how.

OAuth 2.0 replay attacks: authorization-code interception, missing PKCE, and how to test

Pentrova Research — Tue, 20 Jan 2026 00:00:00 GMT

A practical primer on OAuth 2.0 replay attacks — authorization-code interception, missing PKCE, and state-parameter gaps — with deterministic testing.

How Pentrova turns single bugs into exploit chains

Pentrova Research — Tue, 13 Jan 2026 00:00:00 GMT

Chains, not isolated findings, tell you whether an attacker can reach something that matters. Here is how Pentrova composes findings into proven impact.

Deterministic proof beats probabilistic CVSS: why replayable exploits change triage

Pentrova Research — Tue, 06 Jan 2026 00:00:00 GMT

Replayable exploit bundles change triage economics more than any severity score. Here is why deterministic proof beats probabilistic CVSS.