PATTERNS WE KEEP FINDING

There is a difference between telling you a bug is common and showing you the bug, on a URL, with a curl command you can run yourself. Most security blogs do the first. This series does the second.

Every article points at a scenario on gapbench.vibe-eval.com — a public security benchmark we operate, currently 104 scenarios. Hit the URL, see the bug, run our scanner, see the finding. No corpus claims, no anonymous client name-drops, no “we scanned 1,500 apps” handwaving. The pattern, the live demo, the detection.

Start here

• Why we built gapbench, and why every heuristic scanner needs a ref0 — the manifesto. Read this first if you want the reasoning behind the whole series.
• False positives and the ref0 control — how we calibrate. The methodology behind every detection.

Auth

• BOLA in AI-generated CRUD — the missing ownership check
• JWT alg=none is not dead — your AI-generated auth might be running it
• Mass assignment — when the AI hands the user is_admin: true
• Magic links, OTP, and password resets — the auth flows AI generators get half right
• Cookie scope, TLS downgrade, OAuth Referer leak, PKCE downgrade — the ‘almost secure’ auth gaps

Trust boundaries

• SSRF, open redirects, and OAuth redirect_uri — the URL-trust trifecta
• CORS = * with credentials = true — the misconfiguration that voids your CSRF protection
• WebSocket origin, DNS rebinding, audit log tamper — the trust-boundary trio
• Stripe trust on the wrong side — webhook signatures skipped, paid-flag tampering

Data exposure

• The Supabase service-role key in your frontend bundle
• Source maps and .git in production — Next.js leaks you didn’t know you shipped
• GraphQL introspection on, Swagger with bearer prefilled, gRPC reflection — your API docs are an attack surface

Infrastructure

• Naked databases on the public internet — Postgres, Redis, Mongo with no auth
• S3 public buckets, subdomain takeover, GCP metadata SSRF — the cloud misconfigurations LLMs autocomplete
• Hosting panel bypass, staging env exposed, internal tools without login — the ‘internal’ surface that isn’t
• Poisoned CI actions, leaked Terraform state, Docker registry creds — supply chain in the GitHub Actions era
• Request smuggling, CRLF splitting, cache poisoning — the proxy-layer attacks AI generators are blind to

Frontend / JS

• Prototype pollution, DOM clobbering, postMessage without origin — JS-only attacks AI rarely guards against
• LLM-rendered HTML and Markdown — the XSS vector your AI feature shipped with

Agents and LLMs

• MCP servers without auth — the prompt that ran rm -rf
• RAG poisoning via public uploads — the knowledge base attack surface
• Indirect prompt injection and tool-output loops — when the model trusts what it just printed

Injections and primitives

• Zip-slip, unrestricted upload, SVG XXE — the file-upload trio (and the cousin attacks)
• Insecure deserialization, LDAP/XPath/MIME injection — the long-tail injections AI still produces
• ReDoS and weak randomness — when the autocomplete picks the wrong primitive

Concurrency

• Race conditions in money paths — TOCTOU on balance, paid-flag, and resource limits

How to use this series

Every article follows the same loose shape — pattern, demo URL, why the AI does it, how we catch it, what to do. We deliberately don’t use a rigid template; each piece reads like a conversation with someone who has seen the bug too many times. The structure is the URL — gapbench.vibe-eval.com/site/<scenario>/ is up right now, you can hit it, the bug is real, the finding reproduces.

If you’ve read one of the data studies and want the anatomy, this is where the anatomy lives. If you’ve read a case study and want to verify the pattern is real, this is where you verify it.