2026
February 9, 2026
Building a Headless Browser Exploit with Claude Opus 4.6
How Claude Opus 4.6 discovered and exploited a heap buffer overflow in PhantomJS, from source code analysis to a working proof-of-concept.
February 1, 2026
Hunting for Deserialization Gadgets in the Rails Ecosystem
Walking through the process of finding a new deserialization gadget chain in the Ruby on Rails ecosystem, from trigger to sink.
January 27, 2026
Unsafe Reflection Vulnerabilities
How unsafe reflection turns user input into arbitrary class instantiation, from the mechanics of CWE-470 to exploitation and prevention across Java and Ruby.
2025
December 17, 2025
DNS Rebinding Attacks Against SSRF Protections
How DNS rebinding bypasses common SSRF protections by exploiting the gap between DNS resolution and connection time, with practical attack techniques and defenses.
December 4, 2025
OSWE: 5 Years Later
A retrospective on the Offensive Security Web Expert certification five years later, and how its whitebox methodology shaped my approach to application security.
2022
June 11, 2022
Sandboxing Code Execution
Practical approaches to sandboxing untrusted code execution, balancing security controls with engineering pragmatism in production environments.
March 5, 2022
Building Custom Detection Signatures (SAST)
Writing custom Semgrep rules to detect application-specific vulnerabilities that generic SAST tools miss, with real-world examples and pattern design.
February 18, 2022
Java Deserialization Vulnerabilities
Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.
January 19, 2022
Automating DAST Scanning with OWASP ZAP
Setting up authenticated OWASP ZAP scans in Docker with CI/CD integration, session handling, and Slack reporting for automated security testing.
