Writeup Gallery

Mass-assignment weaknesses show up frequently in modern APIs, especially in signup endpoints that accept JSON. When the backend automatically maps request fields to internal models without filtering them, attackers can slip in additional parameters and gain privileges they shouldn't have. This guide walks through the most effective JSON payload variations you can use to test registration flows and uncover silent logic flaws.

Modern applications rely heavily on sessions, tokens and identity checks. When these controls aren't implemented correctly, attackers can bypass restrictions or take over accounts with little effort. In this guide, I'll walk you through a checklist of all session-related issues, how to test for them and what their impact can look like. It's a straightforward way to confirm whether an application's session handling is actually secure.

SQL Injection remains one of the most critical web vulnerabilities, allowing attackers to manipulate backend databases through unsanitized inputs. Effective reconnaissance is key to identifying potential SQLi points before exploitation. This article walks you through a practical, step-by-step SQLi reconnaissance methodology using popular tools and payloads.

In today's rapidly evolving cybersecurity world Web Application Firewalls (WAFs) play a critical role in protecting websites from malicious inputs like SQL injections. But attackers and ethical hackers alike are always exploring new techniques to test and bypass such defenses. This comprehensive guide covers advanced WAF evasion techniques.

Most beginners think the file upload feature is "just for images…." In reality, it's one of the most dangerous places in a web app. If the server doesn't handle uploads correctly, a simple "Change Profile Picture" can turn into remote code execution (RCE): you upload code, the server runs it. Learn exploitation techniques and mitigation strategies.

Race Conditions are some of the coolest bugs you can find in a Web Application. It occurs when the time of checking a constraint and the time of executing an action form a window large enough for an attacker to exploit. This guide covers detection, exploitation, and real-world examples of race condition vulnerabilities.