Posts

How I Found an Account Takeover Bug in the Forgot Password Flow

23 September 2025·801 words·4 mins

How I Found a $3000 IDOR Vulnerability in a Delivery App

13 September 2025·1045 words·5 mins

Bypassing Rate Limit in GraphQL

5 December 2024·1526 words·8 mins

Exploiting DOM for Open Redirect Attacks

22 November 2024·1735 words·9 mins

Exploiting insecure output handling in LLMs

21 July 2024·457 words·3 mins

Indirect prompt injection

14 July 2024·740 words·4 mins

Exploiting vulnerabilities in LLM APIs

29 June 2024·838 words·4 mins

Exploiting LLM APIs with excessive agency

22 June 2024·540 words·3 mins

What is LLM APIs and how they work?

18 June 2024·1031 words·5 mins

HTTP Parameter Pollution vs Mass Assignment

4 June 2024·1176 words·6 mins