Research
Bug Class Deep Dives
-
Bug Class Deep Dives
SSRF past the easy filters: URL-parser confusion and the metadata endpoint
The allowlist and the HTTP client parse your URL differently — that gap is where modern SSRF lives. Here's the exact parser-confusion payloads, the IMDSv2 token dance from inside a container, the gopher-to-Redis RCE chain, and why you confirm it out-of-band, not in the response body.
-
Bug Class Deep Dives
Winning web race conditions with the single-packet attack
The exploit window for a race condition is often sub-millisecond, but network jitter between your requests is 1-10ms — so they get serialized and the bug looks dead. The single-packet attack collapses that jitter to zero. Here's the mechanism, the math, and where it pays.
-
Bug Class Deep Dives
IDOR lives in the second identifier: finding BOLA with two-account Shadow Replay
Everyone fuzzes the ID in the URL path; the ID in the path is usually the one the app actually checks. The access-control bug is hiding in the account_id in the body, the node(id:) resolver, the async PDF job, and the PUT you never sent. Here's where BOLA really lives and how to diff it in two accounts.