One zero-byte QUIC packet is enough to desynchronize HAProxy's backend connection pool and smuggle HTTP requests across unrelated users — even user...
Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request S...
How a single-use OTP flow token not bound to the correct subject enabled a zero‑click account takeover.
A chain of issues in listmonk allows a Cross‑Site Request Forgery (CSRF) to trigger arbitrary JavaScript execution (XSS) in the admin’s browser, cu...
From the classic “quote break” in a to a login takeover: step by step, I show how a “low-impact” RXSS becomes a real credential stealer.
In this post, I break down three real-world vulnerabilities found in WordPress plugins — from unsafe deserialization to arbitrary file upload — and...
Writeups of some challenges from UTCTF 2024
In this post I detail two critical security flaws I discovered last year in the Znuny / OTRS ticket-ing system: a path-traversal file-upload bug th...
Writeups of some XSS challenges from CodeInTheDark CTF