All Posts
Filter 40 posts by category. Each one focuses on finding the bug and reproducing it with a working proof-of-concept.
GraphQL Field Suggestion Abuse: Rebuilding a Hidden Schema
Even with introspection disabled, GraphQL's did-you-mean error suggestions leak field and type names, letting an attacker reconstruct the schema and reach hidden operations. We cover the technique and a working extraction PoC.
Password Reset Poisoning via the Host Header
If reset links are built from the incoming Host header, an attacker can redirect the token to their own server. We cover the poisoning flow and the fixes.
JWT JKU and x5u Injection: Pointing Key Discovery at Your Server
When a JWT verifier fetches its signing key from a URL in the token header, controlling jku or x5u lets an attacker supply their own key and forge tokens. We cover detection and a working forgery PoC.
Cross-Site WebSocket Hijacking: When the Handshake Skips CSRF
A WebSocket handshake authenticated only by cookies and lacking origin checks lets an attacker page open an authenticated socket and read or send messages as the victim. We cover detection and a working CSWSH PoC.
LLM Prompt Injection in Web Apps: Indirect and Agentic Risks
When a web app feeds untrusted content to an LLM with tools, attacker text becomes attacker instructions. We cover direct, indirect, and tool-abuse injection.
SAML Signature Wrapping: Forging Assertions the Verifier Trusts
XML Signature Wrapping and signature stripping let an attacker alter a signed SAML assertion while keeping a valid signature, impersonating any user. We cover the verifier flaws and a working XSW PoC.
Web Cache Poisoning: Turning a Cache Into a Weapon
Unkeyed inputs let an attacker store a malicious response in a shared cache and serve it to every visitor. We cover cache keys, unkeyed headers, and deception.
Secrets in Frontend JavaScript: The Bundle Leak
API keys and tokens baked into client-side bundles are public the moment you ship. We cover what leaks, how recon finds it, and how to keep secrets server-side.
HTTP Request Smuggling: The 0.CL Desync Era
New 2025 desync research revived request smuggling against modern stacks. We explain CL.TE, TE.CL, and the 0.CL early-response gadget.
CORS Misconfiguration: The Reflected-Origin Trap
A permissive CORS policy can hand attacker sites read access to authenticated responses. We dissect the reflected-origin and null-origin mistakes.
Race Conditions: The Limit-Overrun in Web Apps
Concurrent requests in a narrow time window can redeem a coupon twice or overdraw a balance. We cover the TOCTOU window and how to enforce atomicity.
CRLF Injection: Splitting Responses and Forging Headers
An unescaped carriage-return/line-feed in a header value lets an attacker inject headers, set cookies, and split the HTTP response. We cover encoding probes and a header-injection PoC.
DOM XSS: When the Vulnerability Never Touches the Server
DOM-based cross-site scripting lives entirely in client-side JavaScript, invisible to server-side filters. We trace sources to sinks and lock them down.
Unrestricted File Upload: From Image to Web Shell
Weak upload validation lets an attacker drop executable code on your server. We cover content-type tricks, double extensions, and how to neutralize uploads.
Server-Side Template Injection: From Curly Braces to RCE
SSTI turns a templating convenience into remote code execution when user input reaches the template engine. We trace the path from detection to sandbox escape.
IDOR and BOLA: The API Bug That Never Leaves the Top 10
Broken object level authorization is the most common serious API flaw. We show how predictable identifiers leak other users' data and how to enforce ownership.
Dependency Confusion: When Your Build Trusts the Wrong Registry
Publishing a public package with your internal name can hijack builds across an organization. We cover the resolution flaw and how to lock package sources down.
Subdomain Takeover: Hunting Dangling DNS
A CNAME pointing at a deprovisioned cloud resource lets an attacker claim your subdomain. We cover detection during recon and how to prevent dangling records.
JWT Attacks: alg=none, Key Confusion, and Weak Secrets
JSON Web Tokens fail open in spectacular ways when verification is sloppy. We cover algorithm confusion, the none attack, and crackable HMAC secrets.
Insecure Deserialization: ViewState, RSC Payloads, and RCE
Deserialization bugs turned untrusted bytes into remote code execution across major platforms in 2025. We unpack the gadget-chain mechanics and the fixes.
OAuth and OIDC Misconfiguration: Redirect URIs and the state Parameter
Loose redirect URI matching and a missing state parameter turn social login into account takeover. We map the token-theft and CSRF paths and the fixes.
GraphQL Abuse: Introspection, Batching, and Deep Queries
GraphQL's flexibility is also its attack surface. We cover introspection leakage, batching-based brute force, and denial of service via deeply nested queries.
SSRF in 2025: From Image Proxies to Cloud Metadata Theft
Server-side request forgery turns a harmless URL fetch into a pivot against internal services and cloud metadata endpoints. Here is how it escalates and how to stop it.
Prototype Pollution: From Merge Helpers to RCE Gadgets
A single __proto__ key in attacker JSON can corrupt every object in a Node app. We trace client and server pollution to real impact and the fixes.
SQL Injection in 2025: From Error-Based Leaks to ORM Blind Spots
SQL injection refuses to die. We look at how modern ORMs, raw query escape hatches, and second-order payloads keep this classic flaw alive in current stacks.
Open Redirect: The Low-Severity Bug That Unlocks Bigger Ones
An unvalidated redirect target sends victims to attacker sites and serves as a gadget for OAuth token theft and SSRF. We cover finding redirect parameters and bypassing weak validators.
PHP Type Juggling: When Loose Comparisons Accept Anything
PHP's loose == operator coerces types in surprising ways, letting magic-hash and array tricks bypass authentication and hash checks. We cover spotting loose comparisons and a working bypass PoC.
Clickjacking: Stealing Clicks Through a Transparent Overlay
When a sensitive page can be framed, an attacker overlays it invisibly and hijacks the victim's clicks into privileged actions. We cover framability testing and a working overlay PoC.
Path Traversal and LFI: Reading the Filesystem Through a Parameter
A filename parameter that accepts ../ sequences lets an attacker read arbitrary files and, via inclusion, execute code. We cover traversal probes, encoding bypasses, and a working file-read PoC.
CSRF in 2025: Defeating SameSite With Method and Gadget Tricks
SameSite cookies blunted classic CSRF but did not end it. We cover detecting forgeable state-changing requests and the GET-method, lax-window, and same-site gadget bypasses with working PoCs.
LDAP Injection: Bending Directory Filters to Your Will
Unescaped input in an LDAP search filter lets an attacker rewrite the query, bypass authentication, and enumerate the directory. We cover filter-syntax probes and a working bypass PoC.
NoSQL Injection: Operator Objects That Bypass the Login
Document databases interpret query operators in untrusted input, letting an attacker turn a login into an always-true match or extract data blindly. We cover detection and authentication-bypass PoCs.
OS Command Injection: From a Shell Metacharacter to the Host
When user input reaches a shell, a single metacharacter runs attacker commands on the server. We cover the sinks, blind detection by timing and OOB, and a working command-execution PoC.
Blind XXE: Exfiltrating Files Through Out-of-Band Channels
When an XML parser resolves external entities but returns no output, out-of-band XXE leaks files and internal requests over DNS and HTTP. We cover detection and a working OOB exfiltration chain.
Mutation XSS: When the Browser Rewrites Your Payload Into Life
mXSS slips inert-looking markup past a sanitizer that the browser's HTML parser then re-serializes into executable script. We cover the parsing quirks that trigger it and how to prove a bypass.
Blind XSS: Firing Payloads Into Screens You Cannot See
Blind XSS executes in a context the attacker never observes directly, such as an internal admin panel. We cover out-of-band probes, where they detonate, and how a callback confirms the hit.
Mass Assignment: Smuggling Privileged Fields Into the Model
When a framework auto-binds request keys to object attributes, sending an extra field like role or is_admin can escalate privileges. We cover discovering bindable fields and a working autobinding PoC.
Stored XSS: Payloads That Wait for the Next Visitor
Stored cross-site scripting persists in the database and executes against every viewer of a page. We cover where it lurks, which fields survive sanitization, and how to confirm execution.
Reflected XSS: Tracing the Echo From Parameter to Payload
Reflected cross-site scripting fires when a request parameter is echoed straight back into the response. We trace the reflection from probe to a working, context-aware payload.
Web Cache Deception: Tricking the CDN Into Storing Private Pages
A path-confusion trick makes a CDN cache a victim's authenticated response under a static-looking URL the attacker can fetch. We cover the delimiter and extension probes and a working data-theft PoC.