Notes from
offensive security.
Writeups of disclosed bugs, reverse engineering notes, and the occasional experiment in automated recon. By Nick Mykhailyshyn.
# Latest posts
view all →
Security
$15k - CSPT to full account takeover, then 2FA bypass via the prototype chain
A client-side path traversal in the front-end's URL builder turned into arbitrary PUT/DELETE on the API, then chained with an inherited-property lookup bug to bypass 2FA
Security
SSRF in Ghost CMS via oEmbed (CVE-2020-8134)
How Ghost's embed-anything input let an authenticated publisher pivot the server into cloud metadata endpoints - and what the fix actually changed.