2026
February 1, 2026
Hunting for Deserialization Gadgets in the Rails Ecosystem
Walking through the process of identifying a deserialization gadget chain commonly available in Ruby on Rails applications.
January 27, 2026
Unsafe Reflection Vulnerabilities
How unsafe reflection turns user input into arbitrary class instantiation, from the mechanics of CWE-470 to exploitation and prevention across Java and Ruby.
2025
December 17, 2025
DNS Rebinding Attacks Against SSRF Protections
How DNS rebinding bypasses common SSRF protections by exploiting the gap between DNS resolution and connection time, with practical attack techniques and defenses.
December 4, 2025
OSWE: 5 Years Later
A retrospective on the Offensive Security Web Expert certification five years later, and how its open-box methodology shaped my approach to application security.
2022
March 5, 2022
Building Custom Detection Signatures (SAST)
Writing custom Semgrep rules to detect application-specific vulnerabilities that generic SAST tools miss, with real-world examples and pattern design.
February 18, 2022
Java Deserialization Vulnerabilities
Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.
January 19, 2022
Automating DAST Scanning with OWASP ZAP
Setting up authenticated OWASP ZAP scans in Docker with session handling and Slack reporting.
2021
December 2, 2021
SSTI In Python Frameworks
Exploiting Server-Side Template Injection in Jinja2 and Django, from MRO traversal to remote code execution, with detection and prevention strategies.
November 5, 2021
Discovering a Blind SQL Injection: Whitebox Approach
Finding and exploiting CVE-2021-43481, a time-based blind SQL injection in webTareas, discovered through source code review.