Research
Methodology
-
Agentic Security
Line jumping: how a poisoned MCP tool hijacks a model that was never called
An MCP tool's description is loaded into the model's context at tools/list time — before the tool is ever invoked. That one protocol detail turns a description field into a prompt-injection payload that fires even if the user never touches the tool. Here's the mechanism, the attack classes, and the audit that catches them.
-
Recon Notes
Parameter mining: brute-forcing 65,000 inputs in 40 requests
You can't send 65,000 candidate parameter names one per request — the target would rate-limit you into next week. Binary-search bucketing packs 128 names into one request and splits only the buckets that move the response. Here's the mechanism, the who-wins HPP table, and the mass-assignment payloads that turn a hidden field into admin.
-
Bug Class Deep Dives
SSRF past the easy filters: URL-parser confusion and the metadata endpoint
The allowlist and the HTTP client parse your URL differently — that gap is where modern SSRF lives. Here's the exact parser-confusion payloads, the IMDSv2 token dance from inside a container, the gopher-to-Redis RCE chain, and why you confirm it out-of-band, not in the response body.
-
Mobile Lab
Tearing the APK apart: the static pass that finds a critical before you set a proxy
The APK on your disk is your target's source code, config, and secrets in one zip. One curl against a Firebase URL you grep out of strings.xml can be a world-readable database — the whole report, before you intercept a single request. Here's the static pass that finds it.
-
Bug Class Deep Dives
Winning web race conditions with the single-packet attack
The exploit window for a race condition is often sub-millisecond, but network jitter between your requests is 1-10ms — so they get serialized and the bug looks dead. The single-packet attack collapses that jitter to zero. Here's the mechanism, the math, and where it pays.
-
Bug Class Deep Dives
IDOR lives in the second identifier: finding BOLA with two-account Shadow Replay
Everyone fuzzes the ID in the URL path; the ID in the path is usually the one the app actually checks. The access-control bug is hiding in the account_id in the body, the node(id:) resolver, the async PDF job, and the PUT you never sent. Here's where BOLA really lives and how to diff it in two accounts.
-
Agentic Security
Indirect prompt injection is SSRF for the agent era
SSRF is a server fetching an attacker's URL and trusting the response. Indirect prompt injection is an agent reading attacker content and trusting it as instructions. Same missing boundary between data and control — here are the exact gadgets, the encodings that beat filters, and why 'ignore previous instructions' stopped working years ago.
-
Mobile Lab
The Android 14 CA move that broke every '/system/etc' pinning tutorial
Since Android 14 the system CA trust store lives in an updatable APEX module, so remounting /system/etc/security/cacerts silently does nothing. That's why the classic 'copy your cert to /system' tutorials fail on new devices — plus the Flutter wall, native double-pinning, and the proxy-ignore detection trap.
-
Recon Notes
The richest recon target is a file you already downloaded
Passive recon isn't running quieter scans — it's re-reading the traffic you already captured. The JS bundle you loaded ships a source map that rebuilds the original codebase, a chunk manifest listing every hidden admin route, and a bootstrap state object with the current user's role. No new requests, nothing to detect.