Blog

2025

Preventing Prompt Injection Attacks at Scale

June 9, 2025 · 5 mins

Introducing LLMQuery Framework: Scaling GenAI Automation with Prompt Templates

January 13, 2025 · 4 mins

2024

Engineering Learnings from the CrowdStrike Falcon Outage

July 26, 2024 · 10 mins

2023

Secrets Patterns DB: Building Open-Source Regex Database for Secret Detection

February 7, 2023 · 4 mins

2022

Speaking at BlakcHat MEA 2022

December 5, 2022 · 3 mins

DoS Attacks are Dead: Demystifying Practical DoS Attacks

December 4, 2022 · 2 mins

Shennina Framework - Automating Host Exploitation with AI

November 8, 2022 · 3 mins

Scan Terraform plans and changes with tfquery via SQL-powered framework

October 27, 2022 · 2 mins

Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools

June 1, 2022 · 21 mins

Attacking Modern Environments Series: Attack Vectors on Terraform Environments

January 29, 2022 · 1 min

2021

Interview With the AppSec Podcast: Terraform Security

October 17, 2021 · 1 min

tfquery: Run SQL queries on your Terraform infrastructure

April 28, 2021 · 1 min

DDoS is not Dead: Building a Scalable DDoS Framework

April 13, 2021 · 6 mins

Interview with Sectastic Podcast: How I started, What is FullHunt, and How are Security Startups in the GCC Region

March 22, 2021 · 1 min

2020

Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom

August 9, 2020 · 19 mins

Bad Marketing: COVID-19 and Cyber Security

April 14, 2020 · 1 min

The Path for Testing Path Traversal Vulnerabilities with Python

April 12, 2020 · 2 mins

OhMyZsh dotenv Remote Code Execution

April 8, 2020 · 3 mins

Book Review: WASEC By Alessandro Nadalin

March 29, 2020 · 2 mins

2019

Practical Approaches for Testing and Breaking JWT Authentication

October 25, 2019 · 8 mins

Search Engine Abuse in Popular Social Networks

May 17, 2019 · 2 mins

[Research] Overview of the Application-Level Security of the Swiss Evoting System

April 16, 2019 · 1 min

Backchannel Leaks on Strict Content-Security Policy

January 18, 2019 · 2 mins

2018

Practical Protection Against DNS Rebinding Attacks

July 31, 2018 · 4 mins

Creating an Emojis PHP WebShell

July 23, 2018 · 1 min

Using HTML Attribute Separators for Bypassing WAF XSS Filters

July 17, 2018 · 2 mins

Bypassing CSP by Abusing JSONP Endpoints

January 16, 2018 · 3 mins

2017

[Book Review] ModSecurity Handbook - 2nd Edition

October 3, 2017 · 2 mins

Starting in InfoSec - 101

August 11, 2017 · 4 mins

Using Ubuntu .DESKTOP as a Malware Vector

April 8, 2017 · 3 mins

Exploiting Misconfigured Apache server-status Instances with server-status_PWN

January 13, 2017 · 2 mins

2016

Bug Bounty Hunting - Swiss Cyber Storm 2016

October 23, 2016 · 2 mins

Backup-File Artifacts: The Underrated Web-Danger

August 18, 2016 · 5 mins

Google UI-Redressing Bug That Discloses The User's Email Address

April 8, 2016 · 3 mins

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

March 17, 2016 · 1 min

2015

Why Prebuilt Security Browsers are Bad: Introducing Firefox Security Toolkit

November 3, 2015 · 5 mins

Evading All Web-Application Firewalls XSS Filters

September 9, 2015 · 1 min

Bypassing Google Password Alert with One Line of Code

July 25, 2015 · 2 mins

Facebook Messenger Multiple CSRF Vulnerabilities

June 9, 2015 · 2 mins

Summary of HSTS Support in Modern Browsers

May 29, 2015 · 1 min

My Experience with eBay Bug Bounty Program

April 24, 2015 · 4 mins

2014

W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Defacement (CVE-2014-9414)

December 11, 2014 · 4 mins

Session Hijacking in Instagram Mobile App via MITM Attack [0-DAY]

July 26, 2014 · 2 mins

My Story with Onavo (a Facebook's Acquisition)

June 9, 2014 · 2 mins

Cross-Site Scripting on Wikileaks

February 19, 2014 · 1 min

PHP Code Execution on Bugcrowd

February 13, 2014 · 1 min

SQL Injection and Cross-site Scripting at the website of the University of Calgary

February 6, 2014 · 1 min

Open Redirector on Google.com

February 6, 2014 · 1 min

Acknowledged By Oracle

February 6, 2014 · 1 min