Researcher discovered RCE via exposed Rails secret token leaked through Rack's ShowExceptions error page enabled on production. By fuzzing the filename parameter with %0d to trigger an exception, they obtained the secret_token used to sign cookies, which they then exploited to achieve remote code execution across two in-scope assets.

A DevOps engineer discovered unauthenticated RCE as root on publicly exposed Marathon container orchestration instances by leveraging the task scheduling API to execute arbitrary commands without authentication, discovered via Shodan reconnaissance.

A union-based SQL injection vulnerability was discovered in the University of Cambridge's Fitzwilliam Museum search application, allowing enumeration of database version, user credentials, and database name through manipulated query parameters.

An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the 'chartID' parameter in a GraphQL request, disclosing chart names and data that should only be visible to the dashboard owner.

A walkthrough of exploiting a boolean-based SQL injection vulnerability via the User-Agent HTTP header to enumerate database version, table names, and columns, culminating in credential extraction from a MariaDB 10.1.21 instance.

An application-level denial-of-service vulnerability exploitable by sending excessively long strings (100,000+ characters) to input fields, causing CPU and memory exhaustion through vulnerable string hashing implementations. The technique can be applied to password fields, usernames, email addresses, and other text inputs across authentication and search functions.

Researchers identified and documented a method to discover and exploit over 55,000 subdomain takeover vulnerabilities on Shopify by analyzing FDNS datasets for CNAMEs pointing to Shopify infrastructure, then claiming unclaimed shop names to hijack subdomains. They developed a script with improved false-positive detection using page error messages, CNAME verification, and REST API checks.

SQL injection vulnerability discovered in a forget password function via time-based exploitation. The author enumerated the backend technology (ASP.NET/MSSQL), broke the SQL query with single quotes, injected a WAITFOR DELAY payload to confirm the vulnerability, and used SQLMap to automate database extraction.

A bug bounty hunter demonstrates a union-based SQL injection attack against a private company's web application, using order-by enumeration to identify 11 vulnerable columns, extracting database version, user, OS details, and dumping table schemas via information_schema queries with encoding bypasses.

Researcher discovered multiple DoS vulnerabilities across Facebook endpoints caused by lack of parameter length validation, allowing attackers to crash Messenger and break Facebook Pages for administrators through large payload injection via the appointments feature.

Researcher demonstrates a subdomain takeover vulnerability on Starbucks by exploiting an unclaimed Azure Traffic Manager endpoint. The vulnerable subdomain had a CNAME pointing to a non-existent trafficmanager.net domain that could be registered without domain ownership verification, allowing complete control of the subdomain.

A blind time-based SQL injection vulnerability was discovered in a file upload parameter where the application stored the filename directly in the database without proper sanitization. The vulnerability was exploited by injecting SQL sleep commands into the PDF filename and confirming exploitation through response time analysis after bypassing a Cloudflare WAF misconfiguration.

A security researcher bypassed 2FA/OTP on an Indian travel service provider by brute-forcing a 4-digit OTP without rate limiting, using Burp Suite's intruder to test all 10,000 possible combinations and obtain a valid login token.

A subdomain takeover of ping.ubnt.com via unclaimed Amazon Cloudfront distribution, combined with shared session cookies across *.ubnt.com subdomains, allowed complete authentication bypass of Ubiquity's SSO system. The vulnerability was responsibly disclosed through HackerOne.

Comprehensive CTI research on Handala Hack Group (linked to Iranian MOIS via Void Manticore cluster), a politically-motivated hack-and-leak threat actor targeting Israeli organizations through phishing, social engineering, and wiper malware, combining technical compromise with information operations for amplified impact. The report provides cluster-level attribution convergence across five vendors, TTPs mapping, IOCs, and SOC-ready defensive playbooks including wiper-resilience and incident communications guidance.

This article explains how inline assembly semantics fit into the Rust Abstract Machine by proposing a "storytelling" approach: every inline assembly block must have a corresponding Rust code equivalent that describes its observable behavior, allowing the compiler to reason about soundness and apply optimizations correctly. The author demonstrates why inline assembly cannot arbitrarily violate Abstract Machine constraints like aliasing rules, even though assembly itself doesn't have these concepts.

Article demonstrates how formal verification can detect subtle bugs in code that pass testing and code review, using a banking application example with three classes of defects: fee calculation errors violating invariants, money conservation violations in transfers, and integer overflow edge cases that break properties for all possible inputs.

A former backend lead at Manus proposes replacing traditional function-calling in LLM agents with a single Unix-style run(command="...") tool that leverages pipes and shell operators, arguing that LLMs are naturally aligned with CLI patterns they've seen extensively in training data and that this approach reduces cognitive load on tool selection while enabling composition.

Walkthrough of exploiting three common API vulnerabilities—BOLA (Broken Object-Level Authorization), Broken Authentication, and BOPLA (Broken Object Property-Level Authorization)—in the Damn Vulnerable Bank deliberately vulnerable application using Burp Suite.

An educational murder mystery game that teaches core dump debugging and reverse engineering through a sci-fi airlock controller scenario. Players must analyze a core dump to uncover how a buffer overflow exploit was used to trigger a fatal airlock malfunction.

This lab exercise demonstrates a reflected XSS vulnerability in an HTML context where standard HTML tags are blocked but custom tags are allowed, requiring attackers to find alternative vectors to achieve code execution.

An AI-generated Slack integration solution triggered the API's 1-request-per-second global rate limit by making hundreds of sequential close calls, cascading to break all application endpoints. The assistant's attempted fix using blocking sleep() worsened the problem by further blocking concurrent operations, demonstrating AI's failure to consider distributed system constraints.

A practical guide combining AI image analysis with ImageMagick command-line blurring to automatically detect and redact sensitive data (credentials, emails, tokens) from screenshots. The workflow uses AI models to identify sensitive regions by coordinates, then applies Gaussian blur or solid fill redaction via ImageMagick's -region flag.

Technical taxonomy of GraphQL attack classes including schema enumeration, batch query abuse, and resolver explosion attacks that are commonly missed by security tools.

A detailed technical comparison of compression algorithms (gzip, zstd, xz, brotli, lzip, bzip2, bzip3) for optimizing code size in resource-constrained environments, demonstrating that bzip/bzip2 achieves superior compression ratios for text-like data through Burrows-Wheeler Transform rather than LZ77, while maintaining a smaller decoder footprint.

A technical guide to setting up Pocket ID, a lightweight OIDC identity provider focused on passkey-based authentication, as a simpler alternative to Keycloak for self-hosted services. The author covers installation, client configuration patterns, and integration with multiple self-hosted applications including Gitea, Argo CD, Grist, Sentry, n8n, and WordPress.

Article explores API design principles optimized for AI agents (agent experience/AX) alongside human developers, emphasizing that good OpenAPI documentation, clear error messages with guidance, and semantic descriptions are critical for autonomous agent routing and error recovery in fintech and accounting integrations.

PHP-rnet is a PHP extension that bypasses bot detection by impersonating real browser TLS fingerprints and HTTP/2 behavior, using Rust-based networking libraries and BoringSSL to avoid the telltale libcurl fingerprint that standard PHP HTTP clients expose.

A comprehensive guide covering SQL injection fundamentals, exploitation strategies, payload techniques, and WAF evasion methods for bug bounty hunters.

An IDOR vulnerability in an e-commerce site's address management API exposed customer addresses and mobile numbers. Although direct address retrieval was protected by session validation, the attacker discovered that a POST request to set a default address with sequential address_id parameters returned HTTP 200 responses, and subsequent checkout page requests displayed other users' full addresses regardless of session context.