<?xml version="1.0" encoding="utf-8"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Classic Vulnerable Defaults on security-recipes.ai</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/</link><description>Recent content in Classic Vulnerable Defaults on security-recipes.ai</description><language>en-us</language><atom:link href="https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/index.xml" rel="self" type="application/rss+xml"/><item><title>PHP object deserialization — `unserialize` on untrusted data</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/php-unserialize/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/php-unserialize/</guid><pubDate>Sun, 26 Apr 2026 00:00:00 GMT</pubDate><description>Replace unsafe `unserialize` usage with JSON or strict allowed-class deserialization; add tests that preserve payload behavior.</description></item><item><title>Ruby unsafe deserialization — `Marshal.load` / `YAML.load`</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/ruby-marshal-yaml-load/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/ruby-marshal-yaml-load/</guid><pubDate>Sun, 26 Apr 2026 00:00:00 GMT</pubDate><description>Replace `Marshal.load` and unsafe YAML loading with safe parsers, typed coercion, and strict migration tests.</description></item><item><title>Python pickle / dill on untrusted input</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/python-pickle/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/python-pickle/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Replace pickle on untrusted input; mitigate via a restricted unpickler with an explicit class allowlist.</description></item><item><title>PyYAML `yaml.load` without a safe Loader</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/pyyaml-load/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/pyyaml-load/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Default to `yaml.safe_load`; install an import-time shim that defaults the loader for legacy callers.</description></item><item><title>Java ObjectInputStream and friends</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/java-deserialization/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/java-deserialization/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Replace with JSON serializers; mitigate via JEP 290 deserialization filters with a strict class allowlist.</description></item><item><title>XML external entities (XXE) — parser defaults</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/xxe-xml-defaults/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/xxe-xml-defaults/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Per-language parser hardening: defusedxml for Python, factory feature flags for Java, libxml entity-loading off in PHP.</description></item><item><title>JWT — `alg: none` and algorithm confusion</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/jwt-alg-none/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/jwt-alg-none/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Force an explicit algorithm allowlist on every verify call; reject `none` at the import boundary.</description></item><item><title>JavaScript `eval()` / `new Function()` on untrusted input</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/eval-and-function-constructor/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/eval-and-function-constructor/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Replace with parsers or restricted evaluators; add a CSP `script-src` ban on `unsafe-eval` for browser code.</description></item><item><title>Disabled TLS verification — `verify=False` and friends</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/requests-verify-false/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/requests-verify-false/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Install the right CA bundle; add a fail-closed shim that refuses `verify=False` outside an opt-in test environment.</description></item><item><title>Prototype pollution — `merge`, `assign`, and friends</title><link>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/prototype-pollution-merge/</link><guid>https://security-recipes.ai/prompt-library/general/classic-vulnerable-defaults/prototype-pollution-merge/</guid><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><description>Filter `__proto__` / `constructor` / `prototype` keys at parse boundaries; replace hand-rolled merges with vetted utilities.</description></item></channel></rss>