DISCOVERY · OFFENSE · EXPLOITATION

0x4F

A personal blog on web application security — finding and reproducing real vulnerabilities, with hands-on proof-of-concepts and exploitation walkthroughs.

browse posts →cat about.md

posts: 40
topics: 06
tags: 112

bash — visitor@0x4f — 80×24

visitor@0x4f:~$

latest commits

Latest Posts

view all →

API Security·2026-06-04

GraphQL Field Suggestion Abuse: Rebuilding a Hidden Schema

Even with introspection disabled, GraphQL's did-you-mean error suggestions leak field and type names, letting an attacker reconstruct the schema and reach hidden operations. We cover the technique and a working extraction PoC.

MediumGraphQLIntrospectionSchemaLeak

9 min readread -->

Pentest·2026-05-30

Password Reset Poisoning via the Host Header

If reset links are built from the incoming Host header, an attacker can redirect the token to their own server. We cover the poisoning flow and the fixes.

HighPasswordResetHostHeaderATO

9 min readread -->

API Security·2026-05-12

JWT JKU and x5u Injection: Pointing Key Discovery at Your Server

When a JWT verifier fetches its signing key from a URL in the token header, controlling jku or x5u lets an attacker supply their own key and forge tokens. We cover detection and a working forgery PoC.

CriticalJWTJKUx5u

9 min readread -->