If you run a vulnerability scan on your "slim" production images right now, the results might terrify you. I recently audited a fleet of microservices running on standard debian:bullseye-…

It started with a sudden spike in 503 errors on our payment gateway service. The Kubernetes pods were running, resources were healthy, but the logs were screaming: upstream connect error or disconn…

최근 금융 도메인의 인증 시스템 을 고도화하던 중, 모의 해킹(Penetration Test)에서 치명적인 시나리오가 보고되었습니다. 공격자가 XSS(Cross-Site Scripting) 취약점을 통해 사용자의 Refresh Token 을 탈취했을 때, Access Token 의 유효기간이 짧더라도 공격자는 탈취한 리프레시 토큰으로 끊임없이 새로운 액…

The security audit report landed on my desk on a Friday afternoon, and it wasn't pretty. While our access token expiration was tight (15 minutes), our handling of refresh tokens created a massiv…