February 9, 2026 Building a Headless Browser Exploit with Claude Opus 4.6 How Claude Opus 4.6 discovered and exploited a heap buffer overflow in PhantomJS, from source code analysis to a working proof-of-concept.

February 1, 2026 Hunting for Deserialization Gadgets in the Rails Ecosystem Walking through the process of finding a new deserialization gadget chain in the Ruby on Rails ecosystem, from trigger to sink.

January 27, 2026 Unsafe Reflection Vulnerabilities How unsafe reflection turns user input into arbitrary class instantiation, from the mechanics of CWE-470 to exploitation and prevention across Java and Ruby.

December 17, 2025 DNS Rebinding Attacks Against SSRF Protections How DNS rebinding bypasses common SSRF protections by exploiting the gap between DNS resolution and connection time, with practical attack techniques and defenses.

December 4, 2025 OSWE: 5 Years Later A retrospective on the Offensive Security Web Expert certification five years later, and how its open-box methodology shaped my approach to application security.

June 11, 2022 Sandboxing Code Execution Practical approaches to sandboxing untrusted code execution, balancing security controls with engineering pragmatism in production environments.

March 5, 2022 Building Custom Detection Signatures (SAST) Writing custom Semgrep rules to detect application-specific vulnerabilities that generic SAST tools miss, with real-world examples and pattern design.

February 18, 2022 Java Deserialization Vulnerabilities Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.

January 19, 2022 Automating DAST Scanning with OWASP ZAP Setting up authenticated OWASP ZAP scans in Docker with session handling and Slack reporting.

December 2, 2021 SSTI In Python Frameworks Exploiting Server-Side Template Injection in Jinja2 and Django, from MRO traversal to remote code execution, with detection and prevention strategies.

November 5, 2021 Discovering a Blind SQL Injection: Whitebox Approach Finding and exploiting CVE-2021-43481, a time-based blind SQL injection in webTareas, discovered through whitebox source code review with a full exploitation walkthrough.