This blog describes one of my findings on a private program. The attack vector is simple, short and elegant (at least for me). Simplicity is the ultimate sophistication. One day, HackerOne asked me to join a private program. OK. I decided to have a look. After creating the test account…

I am here today to share about a finding in Node.js third-party modules program on HackerOne, which brought me my very first CVE (CVE-2018–3809). It wasn’t my first submission to that program anyway. I submitted several issues before, and have the general understanding of which modules are in-scope. That day…

Recently, there is a propagation of a miner malware in our community via Facebook Messenger. Luckily, I have found a sample on the VirusTotal. Then, I decided to dig deeper it. As I am not familiar with malware reverse-engineering, this is the first time I write this kind of analysis…

This blog is written about a bug (I believe), that was found on my last weekend. It located on a website from a private program X on Hackerone. That website has an API, allows users input their URL and email. In the backend, there is a simulated browser, which tries…

Since a year ago, I’ve spent most of my working time on doing blackbox pen-test websites, and there I felt too lazy to have a look at every request in the Burp Target (I am a big fan of Burp Suite), I started to build a MITM-based web-app fuzzer, that…