Writeups, CVE breakdowns, CTF solutions, and original research on web security, reverse engineering, red teaming, and exploitation techniques.
A deep dive into how I combined a server-side request forgery with a template injection vulnerability to escalate from unauthenticated external attacker to full remote code execution. Includes a working PoC and patch analysis.
Walk-through of unpacking a multi-stage packer, defeating string encryption, and recovering hardcoded API credentials from a banking application. Tools: jadx, frida, apktool.
Full binary exploitation write-up for the Phantom box. Off-by-one in a custom allocator leads to heap metadata corruption, house-of-spirit, and privilege escalation via a SUID binary.
A breakdown of common GraphQL attack surfaces: batching attacks, nested query DoS, IDOR through insecure resolvers, and why disabling introspection is security theatre.