"Even a small key can open a big lock" Azerbaijani Proverb ---[ Index 1 - Introduction 2 - Tradition 2.1 - ReDoS, not the OS 2.2 - REGEXP, RLIKE and others 3 - How insecure, secure implementations are? 4 - Study Case: myBB 4.1 - Identification 4.2 - Perfect…

In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed…

This post analyzes Furbo’s BLE communication, uncovering flaws that expose Wi-Fi credentials, allow device resets, and reveal hidden GATT data.

We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035.

Thanks to everyone who reached out after Part 1, and especially to the individual who shared credible intel that informed this update.

In Part 1 we laid out an…

Recent NPM breaches show how fast supply chain attacks spread. Learn how to lock dependencies and harden workflows to before attackers reach your projects.

The Ultimate guide to Breaking JWT, JWT are primarily used for authentication & authorization almost everywhere in modern web. JWTs can possess security vulnerabilities if configured and implemented improperly, potentially causing havoc. Thus, understanding…

Download phishing domain data targeting Canadian sectors. Updated twice daily. Available in TXT, CSV, and JSON.

TLDR I was unable to find some good writeups/blogposts on Windows user mode heap exploitation which inspired me to write an introductory but practical post on Windows heap internals and exploitati

Discover, monitor, and secure your attack surface. FullHunt delivers the best platform in the market for attack surface security.

Do you think the battle with ULVs is over? Think again.

In late August 2025, Cleafy's Threat Intelligence team discovered Klopatra, a new, highly sophisticated Android malware currently targeting banking users primarily in Spain and Italy. The number of compromised devices has already exceeded 1,000. Read the…

NVISO has identified zero-day exploitation of CVE-2025-41244, a local privilege escalation vulnerability impacting VMware's guest service discovery features.

Join the world's top researchers in a competition to find zero-day vulnerabilities in core open-source software powering the cloud. Over $5M prize pool!

Personal projects, research, and other things I find worth sharing

We reverse the Android app, hook TUTK Kalay P2P with Frida, capture commands, find token remnants in memory, trigger SSRF to custom.wav, and show a treat-toss DoS.

IPv4/IPv6 Packet Fragmentation: Implementation Details Introduction In release v2.0, we’ve shipped PacketSmith with support for IPv4/IPv6 fragmentation detection and reassembly. Additionally, we’ve detailed some of the implementation details in the public…