Posts are grouped by category (broad subject area) and indexed by tag (specific tool, technique, or artifact). Both link back to the same posts; pick whichever entry point is more useful.

By category

adversarial-ml

• Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A Defender's Reference

ai-security

• Four Ways LLM Apps Turn Data into Actions — Lessons from PortSwigger Web LLM Labs

• When the Scanner Is the Vulnerability — Indirect Prompt Injection Against AI Security Agents

binary-exploitation

• A Return Address Is a Partially-Known Pointer - 30 pwn.college ROP Challenges, One Idea

detection-engineering

• API Testing Is Contract Drift Hunting

• NoSQL Injection Is Query Shape Injection

• Race Conditions Are State Transition Bugs

• GraphQL Security Is Schema and Transport Control

• Prototype Pollution Is Property Lookup Abuse

• Targeted Scanning Is a Manual Testing Tool

• JWT Security Is Verification Policy

• File Upload Is a Four-Stage Boundary

• OAuth Security Is Binding

• Host Is Routing Metadata

• Business Logic Bugs Are Broken Invariants

• Information Leaks Are Missing Exploit Parameters

• Deserialization Restores Code Paths

• A Return Address Is a Partially-Known Pointer - 30 pwn.college ROP Challenges, One Idea

• Web Cache Poisoning Is a Key Boundary Bug

• WebSocket Security Starts at the Handshake

• Authentication Bugs Are State Machine Bugs

• Authorization Is Not a Route Name

• Path Traversal Is a Canonicalization Bug

• SSTI Is Context First

• Blind Command Injection Is a Channel Problem

• Request Smuggling Is a Parser Disagreement Bug

• CORS Is Not Authorization - A Three-Lab Map

• DOM Bugs Live in the Browser Runtime - A Seven-Lab Map

• CSRF Is a State-Transition Bug - A Twelve-Lab Map

• XSS Is a Parser Boundary Problem - A Thirty-Lab Map

• SSRF Is a Network Position Bug - A Seven-Lab Map

• Entity Resolution Is a File and Network Boundary - An XXE Map

• CSRF Tokens Do Not Prove User Intent - A Clickjacking Methodology

• Five Ways a Cache and an Origin Disagree — A Web Cache Deception Map

• 18 SQL Injection Labs Later — A Practical Map from Tautologies to OOB Exfiltration

• 23 vulhub CVE Labs Later — Three Things I Would Redo From the Start

• Testing the Four-Axis Detection Rubric Against CVE-2024-4956

• Three 2024 N-days, Three Signal Qualities — Why Jenkins is Easier to Detect Than GeoServer

• Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug Needs a Three-Stage Detection

• How I Pick CVEs to Reproduce — Detection Engineering as Triage

• Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A Defender's Reference

• From CTF Heap Pwn to Falco Rules — Reading Memory Corruption as a Defender

• From CVE Advisory to Sigma Rule in 30 Minutes — A Repeatable Workflow

llm-attacks

• Four Ways LLM Apps Turn Data into Actions — Lessons from PortSwigger Web LLM Labs

• When the Scanner Is the Vulnerability — Indirect Prompt Injection Against AI Security Agents

methodology

• Modern Mitigation Bypass Is Leak Chaining

• Constrained Shellcode Is Interface Design

• Reverse Engineering Is Model Recovery

• API Testing Is Contract Drift Hunting

• NoSQL Injection Is Query Shape Injection

• Race Conditions Are State Transition Bugs

• GraphQL Security Is Schema and Transport Control

• Prototype Pollution Is Property Lookup Abuse

• Targeted Scanning Is a Manual Testing Tool

• JWT Security Is Verification Policy

• File Upload Is a Four-Stage Boundary

• OAuth Security Is Binding

• Host Is Routing Metadata

• Business Logic Bugs Are Broken Invariants

• Information Leaks Are Missing Exploit Parameters

• Deserialization Restores Code Paths

• A Return Address Is a Partially-Known Pointer - 30 pwn.college ROP Challenges, One Idea

• Web Cache Poisoning Is a Key Boundary Bug

• WebSocket Security Starts at the Handshake

• Authentication Bugs Are State Machine Bugs

• Authorization Is Not a Route Name

• Path Traversal Is a Canonicalization Bug

• SSTI Is Context First

• Blind Command Injection Is a Channel Problem

• Request Smuggling Is a Parser Disagreement Bug

• CORS Is Not Authorization - A Three-Lab Map

• DOM Bugs Live in the Browser Runtime - A Seven-Lab Map

• CSRF Is a State-Transition Bug - A Twelve-Lab Map

• XSS Is a Parser Boundary Problem - A Thirty-Lab Map

• SSRF Is a Network Position Bug - A Seven-Lab Map

• Entity Resolution Is a File and Network Boundary - An XXE Map

• CSRF Tokens Do Not Prove User Intent - A Clickjacking Methodology

• Five Ways a Cache and an Origin Disagree — A Web Cache Deception Map

• 18 SQL Injection Labs Later — A Practical Map from Tautologies to OOB Exfiltration

• Four Ways LLM Apps Turn Data into Actions — Lessons from PortSwigger Web LLM Labs

• When the Scanner Is the Vulnerability — Indirect Prompt Injection Against AI Security Agents

• 23 vulhub CVE Labs Later — Three Things I Would Redo From the Start

• Testing the Four-Axis Detection Rubric Against CVE-2024-4956

• Three 2024 N-days, Three Signal Qualities — Why Jenkins is Easier to Detect Than GeoServer

• Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug Needs a Three-Stage Detection

• How I Pick CVEs to Reproduce — Detection Engineering as Triage

• Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A Defender's Reference

• From CTF Heap Pwn to Falco Rules — Reading Memory Corruption as a Defender

• From CVE Advisory to Sigma Rule in 30 Minutes — A Repeatable Workflow

pwn

• Modern Mitigation Bypass Is Leak Chaining

• Constrained Shellcode Is Interface Design

retrospective

• 23 vulhub CVE Labs Later — Three Things I Would Redo From the Start

reverse-engineering

• Reverse Engineering Is Model Recovery

web-security

• API Testing Is Contract Drift Hunting

• NoSQL Injection Is Query Shape Injection

• Race Conditions Are State Transition Bugs

• GraphQL Security Is Schema and Transport Control

• Prototype Pollution Is Property Lookup Abuse

• Targeted Scanning Is a Manual Testing Tool

• JWT Security Is Verification Policy

• File Upload Is a Four-Stage Boundary

• OAuth Security Is Binding

• Host Is Routing Metadata

• Business Logic Bugs Are Broken Invariants

• Information Leaks Are Missing Exploit Parameters

• Deserialization Restores Code Paths

• Web Cache Poisoning Is a Key Boundary Bug

• WebSocket Security Starts at the Handshake

• Authentication Bugs Are State Machine Bugs

• Authorization Is Not a Route Name

• Path Traversal Is a Canonicalization Bug

• SSTI Is Context First

• Blind Command Injection Is a Channel Problem

• Request Smuggling Is a Parser Disagreement Bug

• CORS Is Not Authorization - A Three-Lab Map

• DOM Bugs Live in the Browser Runtime - A Seven-Lab Map

• CSRF Is a State-Transition Bug - A Twelve-Lab Map

• XSS Is a Parser Boundary Problem - A Thirty-Lab Map

• SSRF Is a Network Position Bug - A Seven-Lab Map

• Entity Resolution Is a File and Network Boundary - An XXE Map

• CSRF Tokens Do Not Prove User Intent - A Clickjacking Methodology

• Five Ways a Cache and an Origin Disagree — A Web Cache Deception Map

• 18 SQL Injection Labs Later — A Practical Map from Tautologies to OOB Exfiltration

By tag

• access-control — Authorization Is Not a Route Name
• ai-agents — Four Ways LLM Apps Turn Data into Actions — Lessons from ...; When the Scanner Is the Vulnerability — Indirect Prompt I...
• algorithm-confusion — JWT Security Is Verification Policy
• angularjs — XSS Is a Parser Boundary Problem - A Thirty-Lab Map
• api-security — API Testing Is Contract Drift Hunting; GraphQL Security Is Schema and Transport Control
• aslr — Modern Mitigation Bypass Is Leak Chaining; Constrained Shellcode Is Interface Design; A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• authentication — NoSQL Injection Is Query Shape Injection; Authentication Bugs Are State Machine Bugs
• authorization — Authorization Is Not a Route Name
• black-box-attack — Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A ...
• blind-sqli — 18 SQL Injection Labs Later — A Practical Map from Tautol...
• browser-security — Request Smuggling Is a Parser Disagreement Bug; CORS Is Not Authorization - A Three-Lab Map; DOM Bugs Live in the Browser Runtime - A Seven-Lab Map; CSRF Is a State-Transition Bug - A Twelve-Lab Map; XSS Is a Parser Boundary Problem - A Thirty-Lab Map; CSRF Tokens Do Not Prove User Intent - A Clickjacking Met...
• burp-suite — Targeted Scanning Is a Manual Testing Tool
• business-logic — Race Conditions Are State Transition Bugs; Business Logic Bugs Are Broken Invariants
• cache-keys — Web Cache Poisoning Is a Key Boundary Bug
• cache-poisoning — Host Is Routing Metadata; Request Smuggling Is a Parser Disagreement Bug
• caching — Five Ways a Cache and an Origin Disagree — A Web Cache De...
• canary — Modern Mitigation Bypass Is Leak Chaining; Constrained Shellcode Is Interface Design
• canonicalization — Path Traversal Is a Canonicalization Bug
• clickjacking — CSRF Tokens Do Not Prove User Intent - A Clickjacking Met...
• cors — CORS Is Not Authorization - A Three-Lab Map
• csp — XSS Is a Parser Boundary Problem - A Thirty-Lab Map
• csrf — GraphQL Security Is Schema and Transport Control; CSRF Is a State-Transition Bug - A Twelve-Lab Map; CSRF Tokens Do Not Prove User Intent - A Clickjacking Met...; Five Ways a Cache and an Origin Disagree — A Web Cache De...
• cswsh — WebSocket Security Starts at the Handshake
• cve-2024-36401 — Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...
• cve-2024-4956 — Testing the Four-Axis Detection Rubric Against CVE-2024-4956
• cve-triage — Three 2024 N-days, Three Signal Qualities — Why Jenkins i...; How I Pick CVEs to Reproduce — Detection Engineering as T...
• debug — Information Leaks Are Missing Exploit Parameters
• deserialization — Deserialization Restores Code Paths
• detection-engineering — Four Ways LLM Apps Turn Data into Actions — Lessons from ...; When the Scanner Is the Vulnerability — Indirect Prompt I...
• django — SSTI Is Context First
• dns — Blind Command Injection Is a Channel Problem
• dom-clobbering — DOM Bugs Live in the Browser Runtime - A Seven-Lab Map
• dom-xss — Prototype Pollution Is Property Lookup Abuse; DOM Bugs Live in the Browser Runtime - A Seven-Lab Map; XSS Is a Parser Boundary Problem - A Thirty-Lab Map
• ebpf — From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• egress — Blind Command Injection Is a Channel Problem
• falco — From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• file-formats — Reverse Engineering Is Model Recovery
• file-read — Path Traversal Is a Canonicalization Bug
• file-upload — File Upload Is a Four-Stage Boundary
• forking-server — A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• gadget-chain — Deserialization Restores Code Paths
• gan — Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A ...
• geoserver — Three 2024 N-days, Three Signal Qualities — Why Jenkins i...; Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...
• git — Information Leaks Are Missing Exploit Parameters
• glibc — A Return Address Is a Partially-Known Pointer - 30 pwn.co...; From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• got-overwrite — Modern Mitigation Bypass Is Leak Chaining
• graphql — GraphQL Security Is Schema and Transport Control
• heap-exploitation — From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• host-header — Host Is Routing Metadata
• http-request-smuggling — Request Smuggling Is a Parser Disagreement Bug
• http2 — Request Smuggling Is a Parser Disagreement Bug
• idor — Authorization Is Not a Route Name
• indirect-prompt-injection — When the Scanner Is the Vulnerability — Indirect Prompt I...
• information-disclosure — Information Leaks Are Missing Exploit Parameters
• insecure-output-handling — Four Ways LLM Apps Turn Data into Actions — Lessons from ...
• internal-network — SSRF Is a Network Position Bug - A Seven-Lab Map
• jenkins — Three 2024 N-days, Three Signal Qualities — Why Jenkins i...
• jetty — Testing the Four-Axis Detection Rubric Against CVE-2024-4956
• jku — JWT Security Is Verification Policy
• jwk — JWT Security Is Verification Policy
• jwt — JWT Security Is Verification Policy
• jxpath — Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...
• lab-design — 23 vulhub CVE Labs Later — Three Things I Would Redo From...
• lessons-learned — 23 vulhub CVE Labs Later — Three Things I Would Redo From...
• libc — Modern Mitigation Bypass Is Leak Chaining
• mass-assignment — API Testing Is Contract Drift Hunting
• memory-corruption — Constrained Shellcode Is Interface Design
• methodology — Targeted Scanning Is a Manual Testing Tool
• mfa — Authentication Bugs Are State Machine Bugs
• mitre-atlas — Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A ...
• ml-security — Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A ...
• mongodb — NoSQL Injection Is Query Shape Injection
• nexus — Testing the Four-Axis Detection Rubric Against CVE-2024-4956
• nodejs — Prototype Pollution Is Property Lookup Abuse
• normalization — Five Ways a Cache and an Origin Disagree — A Web Cache De...
• nosql-injection — NoSQL Injection Is Query Shape Injection
• oast — Blind Command Injection Is a Channel Problem; SSRF Is a Network Position Bug - A Seven-Lab Map
• oauth — OAuth Security Is Binding
• ogc-api — Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...
• oidc — OAuth Security Is Binding
• one-gadget — A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• oob — Entity Resolution Is a File and Network Boundary - An XXE...
• oob-exfiltration — 18 SQL Injection Labs Later — A Practical Map from Tautol...
• oracle — 18 SQL Injection Labs Later — A Practical Map from Tautol...
• origin — CORS Is Not Authorization - A Three-Lab Map
• os-command-injection — Blind Command Injection Is a Channel Problem
• owasp-llm — Four Ways LLM Apps Turn Data into Actions — Lessons from ...; When the Scanner Is the Vulnerability — Indirect Prompt I...
• parameter-pollution — API Testing Is Contract Drift Hunting
• parser-discrepancy — Business Logic Bugs Are Broken Invariants
• partial-overwrite — A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• password-reset — Authentication Bugs Are State Machine Bugs
• patching — Reverse Engineering Is Model Recovery
• path-traversal — Path Traversal Is a Canonicalization Bug; Testing the Four-Axis Detection Rubric Against CVE-2024-4956
• phar — Deserialization Restores Code Paths
• pie — A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• portswigger — API Testing Is Contract Drift Hunting; NoSQL Injection Is Query Shape Injection; Race Conditions Are State Transition Bugs; GraphQL Security Is Schema and Transport Control; Prototype Pollution Is Property Lookup Abuse; Targeted Scanning Is a Manual Testing Tool; JWT Security Is Verification Policy; File Upload Is a Four-Stage Boundary; OAuth Security Is Binding; Host Is Routing Metadata; Business Logic Bugs Are Broken Invariants; Information Leaks Are Missing Exploit Parameters; Deserialization Restores Code Paths; Web Cache Poisoning Is a Key Boundary Bug; WebSocket Security Starts at the Handshake; Authentication Bugs Are State Machine Bugs; Authorization Is Not a Route Name; Path Traversal Is a Canonicalization Bug; SSTI Is Context First; Blind Command Injection Is a Channel Problem; Request Smuggling Is a Parser Disagreement Bug; CORS Is Not Authorization - A Three-Lab Map; DOM Bugs Live in the Browser Runtime - A Seven-Lab Map; CSRF Is a State-Transition Bug - A Twelve-Lab Map; XSS Is a Parser Boundary Problem - A Thirty-Lab Map; SSRF Is a Network Position Bug - A Seven-Lab Map; Entity Resolution Is a File and Network Boundary - An XXE...; CSRF Tokens Do Not Prove User Intent - A Clickjacking Met...; Five Ways a Cache and an Origin Disagree — A Web Cache De...; 18 SQL Injection Labs Later — A Practical Map from Tautol...
• postgresql — 18 SQL Injection Labs Later — A Practical Map from Tautol...
• postmessage — DOM Bugs Live in the Browser Runtime - A Seven-Lab Map
• prioritization — How I Pick CVEs to Reproduce — Detection Engineering as T...
• prompt-injection — Four Ways LLM Apps Turn Data into Actions — Lessons from ...; When the Scanner Is the Vulnerability — Indirect Prompt I...
• prototype-pollution — Prototype Pollution Is Property Lookup Abuse
• pwn-college — Modern Mitigation Bypass Is Leak Chaining; Constrained Shellcode Is Interface Design; Reverse Engineering Is Model Recovery; A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• race-condition — File Upload Is a Four-Stage Boundary
• race-conditions — Race Conditions Are State Transition Bugs
• redirect-uri — OAuth Security Is Binding
• referer — CSRF Is a State-Transition Bug - A Twelve-Lab Map
• ret2libc — Modern Mitigation Bypass Is Leak Chaining; A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• retrospective — 23 vulhub CVE Labs Later — Three Things I Would Redo From...
• rop — A Return Address Is a Partially-Known Pointer - 30 pwn.co...
• rubric — Testing the Four-Axis Detection Rubric Against CVE-2024-4956
• samesite — CSRF Is a State-Transition Bug - A Twelve-Lab Map
• sandbox — SSTI Is Context First
• scanner — Targeted Scanning Is a Manual Testing Tool
• shellcode — Constrained Shellcode Is Interface Design
• shellshock — SSRF Is a Network Position Bug - A Seven-Lab Map
• sigma — 23 vulhub CVE Labs Later — Three Things I Would Redo From...; Three 2024 N-days, Three Signal Qualities — Why Jenkins i...; Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...; From CVE Advisory to Sigma Rule in 30 Minutes — A Repeata...
• signal-quality — Testing the Four-Axis Detection Rubric Against CVE-2024-4956; Three 2024 N-days, Three Signal Qualities — Why Jenkins i...
• soc — From CVE Advisory to Sigma Rule in 30 Minutes — A Repeata...
• soc-economics — How I Pick CVEs to Reproduce — Detection Engineering as T...
• sql-injection — 18 SQL Injection Labs Later — A Practical Map from Tautol...
• ssrf — Host Is Routing Metadata; SSRF Is a Network Position Bug - A Seven-Lab Map; Entity Resolution Is a File and Network Boundary - An XXE...; When the Scanner Is the Vulnerability — Indirect Prompt I...
• ssti — SSTI Is Context First
• state-machine — Business Logic Bugs Are Broken Invariants
• subdomain-takeover — CORS Is Not Authorization - A Three-Lab Map
• substitute-model — Adversarial ML Attack Patterns Mapped to MITRE ATLAS — A ...
• suricata — From CVE Advisory to Sigma Rule in 30 Minutes — A Repeata...
• sysmon — From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• tcache — From CTF Heap Pwn to Falco Rules — Reading Memory Corrupt...
• teamcity — Three 2024 N-days, Three Signal Qualities — Why Jenkins i...
• templates — SSTI Is Context First
• threat-hunting — From CVE Advisory to Sigma Rule in 30 Minutes — A Repeata...
• turbo-intruder — Race Conditions Are State Transition Bugs
• ui-redressing — CSRF Tokens Do Not Prove User Intent - A Clickjacking Met...
• url-parsing — SSRF Is a Network Position Bug - A Seven-Lab Map
• validation — File Upload Is a Four-Stage Boundary
• virtual-machines — Reverse Engineering Is Model Recovery
• vulhub — 23 vulhub CVE Labs Later — Three Things I Would Redo From...; Anatomy of CVE-2024-36401 — Why the GeoServer JXPath Bug ...; How I Pick CVEs to Reproduce — Detection Engineering as T...; From CVE Advisory to Sigma Rule in 30 Minutes — A Repeata...
• web-cache-deception — Five Ways a Cache and an Origin Disagree — A Web Cache De...
• web-cache-poisoning — Web Cache Poisoning Is a Key Boundary Bug
• websocket — WebSocket Security Starts at the Handshake; CSRF Is a State-Transition Bug - A Twelve-Lab Map
• xinclude — Entity Resolution Is a File and Network Boundary - An XXE...
• xml — Entity Resolution Is a File and Network Boundary - An XXE...
• xss — Web Cache Poisoning Is a Key Boundary Bug; WebSocket Security Starts at the Handshake; XSS Is a Parser Boundary Problem - A Thirty-Lab Map; Four Ways LLM Apps Turn Data into Actions — Lessons from ...
• xxe — Entity Resolution Is a File and Network Boundary - An XXE...
• yan85 — Reverse Engineering Is Model Recovery