WRITING.
IF YOU'RE CURIOUS, READ.
IF NOT, THAT'S OKAY.
- 01 I Skipped Two-Factor Auth By Telling the Server I Already Did It NEW ↗
A 2FA bypass so simple it was offensive. The server asked if 2FA was complete. I said yes. The server believed me. That was the whole thing.
- 02 Their CORS Policy Trusted Everyone. So I Was Everyone. ↗
A wildcard CORS misconfiguration that reflected any Origin header as trusted. I made a victim's browser make authenticated API calls to their own account and send me the results. Classic.
- 03 GraphQL Left the Lights On: Introspection, Admin Mutations, and No Auth ↗
A GraphQL API with introspection enabled in production revealed every admin mutation. Then I called them. Without being an admin. Turns out the schema was more honest than the authorization layer.
- 04 The Cookie That Executed Code on Their Server ↗
Insecure deserialization in a session cookie. I modified my cookie. Their server deserialized it. My code ran. Remote code execution from a cookie. Still feels unreal.
- 05 Polluting JavaScript Prototypes Until the Whole App Broke (In My Favor) ↗
Prototype pollution in a client-side library that cascaded into DOM-based XSS. One crafted URL parameter. Every user who visited the page. JavaScript runs.
- 06 One Open Redirect. Every OAuth Token. Yours. ↗
An open redirect in a trusted OAuth callback parameter turned into a complete token theft chain. One link. One click. Full account access. No malware. No drama.
- 07 I Poisoned Their Reverse Proxy and Hijacked Someone Else's Request ↗
HTTP request smuggling on a load-balanced application. I sent one malformed request. The backend thought it was two. The second one belonged to the next user who visited. Critical.
- 08 The XML File That Read Their Server's /etc/passwd ↗
An XXE injection buried inside a document import feature. I uploaded an XML file. Their server read its own filesystem back to me. Then I found the AWS credentials file.
- 09 Blind SQLi, 47 Hours, and a Database Full of Secrets Nobody Knew Were There ↗
A time-based blind SQL injection that started with a one-second delay and ended with 200,000 user records, internal API keys, and a very uncomfortable conversation with their CTO.
- 10 I Made Their Server Talk to Mine. Then I Made It Talk to AWS. ↗
An SSRF that started as a curiosity and ended with me reading EC2 instance metadata from their internal AWS environment. Critical doesn't cover it.
- 11 My JavaScript Ran in the Admin Panel for 11 Days Straight ↗
A stored XSS that silently fired on every admin session. Turns out 'sanitized' and 'actually sanitized' are two very different things.
- 12 I Could See Your Invoices. All of Them. Forever. ↗
An IDOR so simple it made me question everything I knew about software engineering. And humanity.
- 13 How I Got Paid to Break a Login Page (And Why I Still Feel Guilty) ↗
A critical authentication bypass that let me log in as literally any user. No password required. Just vibes.
- 14 Learning in Public: Notes From Someone Who Trusted User Input Once ↗
First blog. No CVE yet. Just curiosity, broken assumptions, and too much time in Burp Suite.