Stealing HttpOnly cookies with the cookie sandwich technique

Security researcher Zakhar Fedotkin has introduced the "cookie sandwich" technique, allowing attackers to bypass the HttpOnly flag on certain servers. By exploiting legacy cookie parsing and special characters, attackers can manipulate cookies to expose session tokens

Anomaly Detection in Time Series: Jetbrains Blog

Anomaly detection identifies unusual patterns in time series data, which is crucial in fields like sales, security, finance, manufacturing, and healthcare. Specialized methods, such as STL decomposition and LSTM prediction, effectively detect these anomalies by accounting for the data's unique characteristics, including seasonality and trends. Implementing these techniques can help uncover critical issues or hidden opportunities within the data.

OSV-SCALIBR: A library for Software Composition Analysis

Google has introduced OSV-SCALIBR, an extensible Software Composition Analysis (SCA) library for scanning open-source dependencies, installed packages, and file systems. It supports SBOM generation, vulnerability detection, and weak credential scanning across multiple OS and programming ecosystems. OSV-SCALIBR is now Google's primary SCA engine and will be integrated into OSV-Scanner for CLI users. The project aims to improve container scanning, reachability analysis, and false positive reduction. Developers can contribute via plugins and provide feedback through Google's issue tracker.

🛠️ Code & Tools

PromptFoo: LLM red teaming guide

Red teaming for large language models (LLMs) is emerging as a critical security practice, identifying vulnerabilities before deployment. Threats range from prompt injections and jailbreaks to privacy violations and unauthorized data access, particularly in RAG and agent-based architectures. Companies are integrating automated red teaming into CI/CD pipelines to continuously monitor AI risks. Discord’s Clyde chatbot serves as a case study, highlighting the need for rigorous testing and gradual rollouts. As AI security standards evolve, frameworks like OWASP LLM Top 10 and NIST AI RMF guide best practices.

Semgrep AI Assistant

Semgrep’s new AI-powered Assistant helps security teams by filtering false positives before developers are notified, improving trust in alerts. It generates precise fix suggestions by analyzing past code history and available dependencies. A memory system learns from user feedback, applying insights to similar findings and reducing backlog. Some teams have cut security findings by 40% with just a few learned rules (memory). Semgrep’s approach prioritizes precision over broad AI automation, focusing on practical, high-impact improvements.

OpenGrep (Fork of Semgrep)

In response to Semgrep’s licensing changes, a consortium of security companies has launched Opengrep, a fully open-source fork of Semgrep CE. The move comes after Semgrep shifted key scanning features behind a commercial paywall, raising concerns about vendor lock-in. Opengrep aims to keep Static Application Security Testing (SAST) open and accessible, ensuring long-term community-driven development. Backed by 10+ security firms, Opengrep invites developers to contribute and shape the future of open-source code security.

📚 Interesting Books & Releases

From Day Zero to Zero Day

Eugene Lim's From Day Zero to Zero Day (June 2025) offers a hands-on guide to vulnerability research, covering code review, reverse engineering, and fuzzing. The book, available for early access, equips both beginners and experts with strategies to discover and exploit security flaws before attackers do.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks/team/hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]