Every post is drawn from a real penetration-testing engagement: redacted for privacy, kept honest on the technical detail. Exploit chains, reproduction steps and the code-level fixes that actually close the gap.
Featured write-up
A healthcare Android app trusted the OTP-verification result that its own client rendered. Flip one byte in the server response and the authentication gate opened, straight into medical records.
Shared session cookies across tenant subdomains looked benign, until a swapped response let the attacker add themselves as Super Admin in somebody else's organisation.
A production JWT signing key that still read "THIS IS USED TO SIGN AND VERIFY JWT TOKENS, REPLACE IT WITH YOUR OWN SECRET." Hashcat did the rest. Full account impersonation followed.
The state parameter was present in the request, but it was static, shared across every account. Copy-paste the URL to a victim's browser and the OAuth flow linked your Facebook to their account.
Follow the team on LinkedIn. We publish every finding that survives disclosure.
Fixed-price statement of work within 48 hours. Senior practitioners, not junior analysts, on every assessment.