Skip to content

Fast-turnaround security assessments available — 10+ years development & security experienceGet started

Cases

Security Cases

Real-world vulnerability research and attack chain walkthroughs. See how single misconfigurations cascade into critical compromises.

Info DisclosureCVSS 5.3medium

Apr 19, 20269 min read

Enumerating Internal Architecture Through a Container Registry

During a black-box assessment of a global infrastructure provider, an unauthenticated Harbor container registry exposed the organization's complete internal project structure — service names, repository counts, team namespaces, and architectural relationships — without requiring any credentials. This is how the registry was found, what it disclosed, and why container registries with open access represent a more serious reconnaissance surface than they appear.

Info DisclosureCVSS 6.5medium

Apr 15, 20269 min read

Publishing Your Complete API Surface by Accident

During a black-box assessment of a global infrastructure provider, publicly accessible OpenAPI specification files revealed the complete internal API surface of multiple services — including endpoints, authentication schemes, request parameters, and response schemas for operations that had no business being documented for public consumption. This is how they were found, what they disclosed, and why specification files sitting on the open internet represent a more serious risk than most organizations acknowledge.

API SecurityCVSS 7.5high

Apr 14, 20269 min read

Nine Hosts, One Wildcard, Zero Access Control

During an external attack surface assessment against a media infrastructure company, systematic enumeration of API subdomains revealed a consistent CORS misconfiguration across nine separate hosts. Every host returned Access-Control-Allow-Origin: * alongside authenticated API responses. Any external page could read responses from any of these nine endpoints — authentication tokens, broadcast configuration data, and internal account details included.

Access ControlCVSS 9.1critical

Apr 13, 20269 min read

Enterprise GitLab With the Front Door Wide Open

An enterprise GitLab installation used by a global media technology company to host proprietary infrastructure code, deployment configurations, and CI/CD pipelines was configured with open user registration enabled. Any external party could create an account, browse internal repositories, clone source code, and read environment files containing credentials for production systems — no invitation required.

API SecurityCVSS 8.1high

Apr 12, 20268 min read

Chaining a Subdomain XSS Into API Token Theft

A cross-site scripting vulnerability on a help-center subdomain of a cryptocurrency exchange seemed low-risk in isolation. The exchange's main trading API disagreed: its CORS configuration trusted that subdomain as an allowed origin, turning reflected XSS into a mechanism for making credentialed requests to every authenticated trading endpoint.

CryptographicCVSS 7.4high

Apr 11, 20269 min read

The Service That Trusted Every Certificate

During a security assessment of an election management platform, a backend integration service was found to accept any TLS certificate during HTTPS connections to external endpoints — regardless of validity, expiry, or hostname match. The result was complete exposure to man-in-the-middle interception on traffic the platform considered encrypted and authenticated.

CryptographicCVSS 7.4high

Apr 10, 202610 min read

Encrypting Voter Data With a Broken Cipher

During a security assessment of an election management platform, the sensitive voter record export feature was found to use AES encryption in CBC mode without any message authentication code. This design allowed ciphertext to be modified in predictable ways, ballot export files to be silently corrupted, and — under specific conditions — plaintext content to be partially recovered without the encryption key.

Info DisclosureCVSS 6.5high

Apr 7, 20268 min read

The Staging Server No One Password-Protected

During a web application assessment of a digital asset trading platform, subdomain enumeration surfaced a staging blog environment with no authentication. Every unpublished post, internal announcement, and draft disclosure was readable by anyone with a browser and the subdomain name.

Access ControlCVSS 6.1medium

Apr 6, 20268 min read

Poisoning Analytics Through an Open Endpoint

During an assessment of a cryptocurrency exchange's infrastructure, an unauthenticated API endpoint intended to proxy third-party analytics events accepted arbitrary payloads with no validation. An attacker could inject synthetic events into the platform's analytics pipeline, manipulating conversion tracking, corrupting behavioral data, and potentially influencing automated systems that acted on those signals.

Business LogicCVSS 7.8high

Apr 5, 20269 min read

The Silent Seat That Disappeared

During a security assessment of an election management platform, a business logic error in the seat allocation algorithm caused one legislative seat to silently disappear under specific vote distribution conditions. No error was thrown. No warning was logged. The software produced a result, and the result was wrong.

OtherCVSS 8.2high

Apr 3, 20269 min read

Five Subdomains, Five Takeovers, One Afternoon

DNS enumeration against a media infrastructure company turned up not one dangling CloudFront record but five. Each subdomain pointed to a deleted CloudFront distribution. Each was claimable. By the end of the afternoon, five proof-of-concept pages were live under the company's own domain.

Info DisclosureCVSS 7.5high

Apr 1, 20267 min read

Kubernetes Blueprints Left on the Doorstep

During an assessment of a media streaming company's infrastructure, an ArgoCD instance was reachable over the public internet with no authentication required. Its API exposed the full inventory of Kubernetes applications, source repository paths, cluster connection details, and deployment configuration — the architectural blueprint of the organization's production environment.

Access ControlCVSS 8.8critical

Mar 31, 20268 min read

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

OtherCVSS 8.5high

Mar 30, 20267 min read

Searching for Every Voter With a Single Percent Sign

A search field on a civic technology platform accepted SQL LIKE wildcards without sanitization. Entering a single percent sign returned the entire database — every record, every row, no authentication escalation required. Just one character in a search box.

OtherCVSS 7.5high

Mar 29, 20267 min read

The Subdomain Someone Else Already Owned

A routine DNS enumeration uncovered a subdomain pointing to a cloud resource that no longer existed. The CNAME was still live, the cloud resource was available for anyone to claim, and the subdomain was one registration away from serving attacker-controlled content under the company's domain.

Info DisclosureCVSS 8.2high

Mar 28, 20269 min read

652 Repositories, Zero Authentication

An exposed container registry at a global infrastructure provider held 652 repositories with no authentication. Docker image layers contained full application source code, configuration files, API keys, database credentials, and internal service architecture maps. This is the story of how it was found and what it revealed.

Auth BypassCVSS 9.0critical

Mar 27, 20268 min read

The Login Link That Let Anyone In

The platform sent login links by email. Each link contained a token. The problem was the application accepted that token from the URL and bound it to whoever authenticated next — which meant an attacker who knew the token could wait for any user to log in and immediately inherit their session.

OtherCVSS 9.1critical

Mar 26, 20269 min read

When Mock Cryptography Ships to Production

A government digital platform handling citizen votes went live with placeholder cryptographic functions that returned hardcoded values and used trivially breakable algorithms. The mock code was never replaced. Every signature could be forged, every encrypted payload could be read in plaintext, and the integrity guarantees the system promised existed only on paper.

Otherinformational

Mar 25, 20268 min read

What Goes Into a Security Assessment: From Reconnaissance to Remediation

A detailed look at how we conduct security assessments — from initial reconnaissance through manual exploitation to delivering actionable remediation reports.

Auth BypassCVSS 9.1critical

Mar 24, 20264 min read

The Trusted Email That Wasn't

A legitimate password reset email — SPF passed, DKIM valid, sender verified. But the link inside pointed to an attacker's domain. One HTTP header turned a routine email into a full account takeover.

IDORCVSS 9.3critical

Mar 22, 20265 min read

Half a Billion Profiles Behind a User-Agent String

A major platform's API returned full user profiles to anyone who asked. The only barrier was a WAF that ignored mobile traffic. One header change, hundreds of millions of accounts exposed.

Auth BypassCVSS 8.6high

Mar 20, 20265 min read

The Trailing Slash That Bypassed Authentication

Adding a single character to the end of a URL turned a 401 into a 200. Not on one endpoint — on thirty, across ten microservices. One slash, an entire backend unlocked.