The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request S...
Zero‑Click ATO via Unbound Password‑Reset Token in one of the world's largest gambling platforms
How a single-use OTP flow token not bound to the correct subject enabled a zero‑click account takeover.
CSRF → XSS → Admin Takeover in listmonk (CVE-2025-58430)
A chain of issues in listmonk allows a Cross‑Site Request Forgery (CSRF) to trigger arbitrary JavaScript execution (XSS) in the admin’s browser, cu...
From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough
From the classic “quote break” in a to a login takeover: step by step, I show how a “low-impact” RXSS becomes a real credential stealer.
3 Ways In: Exploiting WordPress Plugins via File Upload and Deserialization
In this post, I break down three real-world vulnerabilities found in WordPress plugins — from unsafe deserialization to arbitrary file upload — and...
UTCTF 2024 Writeups
Writeups of some challenges from UTCTF 2024
Znuny OTRS CVEs : CVE-2024-32491, CVE-2024-32492, CVE-2024-32493
In this post I detail two critical security flaws I discovered last year in the Znuny / OTRS ticket-ing system: a path-traversal file-upload bug th...
CodeInTheDarkCTF 2023 writeups
Writeups of some XSS challenges from CodeInTheDark CTF