Zero‑Click ATO via Unbound Password‑Reset Token in one of the world's largest gambling platforms
How a single-use OTP flow token not bound to the correct subject enabled a zero‑click account takeover.
CSRF → XSS → Admin Takeover in listmonk (CVE-2025-58430)
A chain of issues in listmonk allows a Cross‑Site Request Forgery (CSRF) to trigger arbitrary JavaScript execution (XSS) in the admin’s browser, cu...
From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough
From the classic “quote break” in a to a login takeover: step by step, I show how a “low-impact” RXSS becomes a real credential stealer.
3 Ways In: Exploiting WordPress Plugins via File Upload and Deserialization
In this post, I break down three real-world vulnerabilities found in WordPress plugins — from unsafe deserialization to arbitrary file upload — and...
UTCTF 2024 Writeups
Writeups of some challenges from UTCTF 2024
Znuny OTRS CVEs : CVE-2024-32491, CVE-2024-32492, CVE-2024-32493
In this post I detail two critical security flaws I discovered last year in the Znuny / OTRS ticket-ing system: a path-traversal file-upload bug th...
CodeInTheDarkCTF 2023 writeups
Writeups of some XSS challenges from CodeInTheDark CTF