# The blog
All posts
Everything I’ve written, sorted newest first.
$15k - CSPT to full account takeover, then 2FA bypass via the prototype chain
A client-side path traversal in the front-end's URL builder turned into arbitrary PUT/DELETE on the API, then chained with an inherited-property lookup bug to bypass 2FA
SSRF in Ghost CMS via oEmbed (CVE-2020-8134)
How Ghost's embed-anything input let an authenticated publisher pivot the server into cloud metadata endpoints - and what the fix actually changed.