Pentesting stories, techniques, and lessons learned along the way.
Axios had 83 million weekly downloads when it was compromised. Here is exactly what happened, why AI coding tools made it worse, and how to check if your machine was hit.
Read more →Tokens in query strings leak through the Referer header, third-party scripts, server logs, browser history, and more. How the Referrer-Policy actually works, what tawk.to sees, and what to do instead.
Read more →AI didn't replace my thinking. It replaced the friction between me and the knowledge I needed. From magic tricks to penetration testing, the formula for learning has always been the same.
Read more →PHP's == operator silently converts types before comparing. How attackers exploit this to bypass login pages, forge MACs, and chain into remote code execution.
Read more →They're not the same service. Why pentests cost what they cost, what you're risking when you give someone access to your systems, and why cutting corners is the most expensive decision.
Read more →What to look for in a pentester, which certifications actually matter, what a quality report includes, and how to avoid paying for an empty deliverable.
Read more →You deleted it. You moved on. But the Wayback Machine didn't. Learn how archived URLs and cached pages become real attack vectors.
Read more →A detailed review of the CWEE exam: study tips, the 10-day exam experience, mindset advice, and why debugging is your best friend.
Read more →How a trailing tab character can bypass Nginx regex ACLs when Python's .strip() normalizes the URL after the security check has already passed.
Read more →A critical vulnerability found in seconds using OSINT and Google dorking. An exposed API key with no usage limits that could have caused massive financial damage.
Read more →