A technical explainer on git's fundamental lack of commit attribution verification, written for engineers and DevOps practitioners. Anyone can create commits attributed to anyone else. Your organization probably knows this and does nothing about it anyway. The Thesis Git has no mechanism to verify that a commit actually
A technical walkthrough of subdomain takeover via unclaimed cloud resources, written for infrastructure teams who provision cloud services, configure DNS, and then forget about both. Spoiler: someone else will remember for you. The Thesis You point a CNAME record at a cloud service — an S3 bucket, an Azure blob storage
A technical explainer on catastrophic backtracking in regular expressions, written for backend engineers and platform security teams. Everything that follows is preventable—if you know what to look for. The Thesis Most regular expression engines don't use the linear-time guarantees of deterministic finite automata (DFA). Instead, they use
A technical walkthrough of server-side request forgery through HTML-to-PDF conversion, written for engineers who build "Export as PDF" features and don't realize they've deployed a headless browser with network access to production infrastructure. The Thesis If your application converts user-supplied HTML (or Markdown, or
A technical guide to exploiting disagreements between HTTP/1.1 proxies and backends about where one request ends and the next begins. Real code. Real impact. The Thesis HTTP/1.1 defines two ways to specify the length of a request body: Content-Length and Transfer-Encoding: chunked. When a frontend proxy
A technical deep-dive on why JSON Web Tokens are deceptively easy to break, even in carefully written libraries. The spec lets clients control the rules of verification — and many servers never noticed. The Thesis JWT is the internet's favorite stateless token format. It's also one of
A technical explainer on how object deserialization becomes arbitrary code execution. Written for engineers defending systems and those building them wrong. The Thesis Serialization turns objects into bytes. Deserialization turns bytes back into objects. If those bytes come from an untrusted source — a cookie, an API response, a message queue,
A technical walkthrough of container escape vulnerabilities, written for engineers who run Docker in production and assume the isolation boundary holds. Spoiler: it doesn't, and your CI/CD pipeline is probably misconfigured. The Thesis Containers are not lightweight VMs. They are a collection of Linux kernel features — namespaces,
A technical deep-dive on dependency confusion attacks for engineers, DevOps practitioners, and anyone shipping software that depends on external packages. The attack works against private package management, the version selection algorithms of npm, pip, and Maven, and the assumption that package names map to trusted authors. The Thesis Package managers
A technical walkthrough of clipboard hijacking attacks against developers, written for anyone who copies commands from blog posts, Stack Overflow, and documentation. Spoiler: what you copied might not be what your terminal executes. The Thesis Every time you copy a command from a tutorial, documentation site, or Stack Overflow answer
A technical walkthrough of DNS rebinding attacks against local services, written for engineers who run things on localhost and assume that means they're safe. Spoiler: it doesn't. The Thesis If you're running a service on localhost — a dev server, a database admin panel, a
security-research
A technical explainer on the attack surface of automated resume screening, written for engineers and hiring practitioners. None of the techniques described here require you to lie about your qualifications — and that's the whole point. The Thesis If a candidate can embed invisible text into a resume and