Behrad Taher
Behrad Taher

Security Engineer
Just writing things down so I don't forget them

Latest writing

February 9, 2026 Building a Headless Browser Exploit with Claude Opus 4.6 How Claude Opus 4.6 discovered and exploited a use-after-free vulnerability in PhantomJS, from source code analysis to a working proof-of-concept.
January 4, 2026 Hunting for Deserialization Gadgets in the Rails Ecosystem Walking through the process of finding a new deserialization gadget chain in the Ruby on Rails ecosystem, from trigger to sink.
December 17, 2025 DNS Rebinding Attacks Against SSRF Protections How DNS rebinding bypasses common SSRF protections by exploiting the gap between DNS resolution and connection time, with practical attack techniques and defenses.
December 4, 2025 OSWE: 5 Years Later A retrospective on the Offensive Security Web Expert certification five years later, and how its whitebox methodology shaped my approach to application security.
June 11, 2022 Sandboxing Code Execution Practical approaches to sandboxing untrusted code execution, balancing security controls with engineering pragmatism in production environments.
March 5, 2022 Building Custom Detection Signatures (SAST) Writing custom Semgrep rules to detect application-specific vulnerabilities that generic SAST tools miss, with real-world examples and pattern design.
February 18, 2022 Java Deserialization Vulnerabilities Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.
January 19, 2022 Automating DAST Scanning with OWASP ZAP Setting up authenticated OWASP ZAP scans in Docker with CI/CD integration, session handling, and Slack reporting for automated security testing.
December 2, 2021 SSTI In Python Frameworks Exploiting Server-Side Template Injection in Jinja2 and Django, from MRO traversal to remote code execution, with detection and prevention strategies.
November 5, 2021 Discovering a Blind SQL Injection: Whitebox Approach Finding and exploiting CVE-2021-43481, a time-based blind SQL injection in webTareas, discovered through whitebox source code review with a full exploitation walkthrough.