PinnedCommon GraphQL Misconceptions: A rantLet’s talk about GraphQL, and how evil or good it is — a hot take from a developer cum pentester ;) This post will enlighten your world!Aug 9, 2021Aug 9, 2021
PinnedPeeking into the FutureToday I have been thinking more on how to proceed further with something interesting to share with my audience on a daily basis. Let’s see!Aug 7, 2021Aug 7, 2021
PinnedInjection attacks in Google Sheets!Let’s learn how to use benign looking CSVs and Spreadsheets to exfiltrate data, without even letting the user know about it ;)Jul 16, 2021Jul 16, 2021
Demystifying an XSS payload: Part 4Let’s demystify an interesting XSS payload and learn about it! This post would aim to help you give my methodology on debugging things.Aug 16, 2021Aug 16, 2021
Experience Diary: Doing infosec research the right wayLet me share my experience on how I do research on a topic. I would be happy to know your methodology as well :)Aug 15, 2021Aug 15, 2021
Intigriti’s Flask Challenge BreakdownLet’s see what the dev’s have cooked up at Intigriti today! A damn vulnerable & broken Flask application. Let’s hack it for Fun & Learning!Aug 13, 2021Aug 13, 2021
Neat XSS trick from a G.O.A.T — Gareth Heyes specialLet’s discuss about this interesting XSS challenge, that was shared yesterday by Gareth Heyes! Read on to learn a neat Javascript trick :)Aug 12, 2021Aug 12, 2021
RCE via failed regex check — One dot to rule ’em all!Let’s learn about how a failed regex check led to RCE in PiHole Admin panel. There’s ofcourse more so check the full post to learn more...Aug 11, 2021Aug 11, 2021
Smuggling Script via URL: Short HTML-based XSS payloadLet’s learn a neat trick on having the XSS payload in the URL for achieving shorter XSS payloads — straight from the greats!Aug 10, 2021Aug 10, 2021
Intigriti’s PHP challenge breakdownLet’s discuss issues with the PHP code shared by Initgriti! We will discuss on how you can shoot yourself in the foot with PHP’s…Aug 8, 2021Aug 8, 2021
Bug Bounty Stories #3: Docstring Injection to XSSLet’s see how I found and exploited an interesting docstring injection issue! I will take you through all the pitfalls and adventures I…Aug 7, 2021Aug 7, 2021
Bug Bounty Stories #2: Tale of an XSS issueXSS due to an unintended code pattern where my payload escaped the JSON and found its way into DOM!Aug 6, 2021Aug 6, 2021
The curious case of domain: Quirky XSS demystifiedI think I found the answer to the domain working in some event handlers! Thanks to terjanq & @SecurityMB for helping me figure this out :)Aug 5, 2021Aug 5, 2021
The curious case of domain: Quirky XSSI was trying out for some XSS payloads and found a quirk that might help in shortening payloads. Read on to see my research process :)Aug 4, 2021Aug 4, 2021
Demystifying an XSS Payload: Part 3 — BruteLogic specialLet’s demystify an amazing XSS payload shared by XSS expert BruteLogic! See my methodology of breaking down XSS payloads for FUN &…Aug 3, 2021Aug 3, 2021
XSS is Dead. We just don’t get it.XSS is dead for so long now but we still don’t get it! We have all the tools and knowledge but still keep popping alerts for money! Why…Aug 2, 2021Aug 2, 2021
Demystifying an XSS payload: Part 2Yet another XSS payload reversing writeup. Hang on to learn more on event capturing & bubbling and tabindex attribute!Aug 1, 2021Aug 1, 2021
Powering the Lamest: Self-XSS FTW!Let’s see how you can leverage self-XSS! We will see how to leverage reflected and stored self-xss and I will leave some ideas in your…Jul 31, 2021Jul 31, 2021
Bug Bounty Stories #1: Tale of CSP bypass in an electron app!Talking of a bug I found a long time back which led to the bypassing of CSP in an electron app :)Jul 30, 2021Jul 30, 2021
Demystifying an XSS payload!Just found an weird and cool trick by Gareth Heyes, so thought to reverse engineer it and find out the root cause :)Jul 29, 2021Jul 29, 2021