Web Pentest
OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.
Race Conditions in 2026: Single-Packet Attacks with Turbo Intruder
James Kettle's 2023 single-packet attack made race conditions reliably exploitable. Coupon multi-redemption, OTP brute-force despite lockouts, voucher stacking — anonymised real findings.…
Security GuidesIDOR: The Bug That Refuses to Die (And How to Find It)
IDOR is on half of Indian SaaS pentests. The taxonomy (sequential, UUID, path, body, header, mass assignment, indirect), the systematic test methodology…
Cloud SecuritySSRF Beyond AWS: GCP, Azure, On-Prem and DNS Rebinding
SSRF attack surface beyond AWS metadata — GCP and Azure metadata endpoints, on-prem internal services (Redis, Elasticsearch, Kubernetes API), DNS rebinding bypass,…
Security GuidesOAuth 2.0 Attacks in 2026: Code Injection, PKCE Downgrade, JWT Issues
Modern OAuth attack surface — redirect URI manipulation, authorisation code injection, state parameter abuse, PKCE downgrade, JWT access token weaknesses, scope escalation.…
Security GuidesSAML Attacks: Golden SAML, XML Signature Wrapping, SLO Abuse
SAML attack surface in 2026 — XML Signature Wrapping (XSW1-8), Golden SAML (SolarWinds technique), signature exclusion, comment injection, audience replay, SLO abuse.…
Threat IntelligenceSpring4Shell (CVE-2022-22965): Why It’s Still Hitting Java in 2026
Spring4Shell was disclosed in March 2022. Vulnerable Spring still found in Indian enterprise audits in 2026, particularly legacy Java apps and vendor…
Threat IntelligenceServer-Side Template Injection (SSTI) in 2026: Detection and Exploitation
SSTI test methodology — canary payloads for Jinja2, Twig, Smarty, Freemarker, Velocity, ERB, Razor. Where SSTI hides (email templates, error messages, report…
Security GuidesXXE: External Entity Injection in 2026 — Where It Still Hides
XXE in 2026 — document upload (DOCX, SVG, RSS), SOAP APIs, SAML, RSS processors. Blind XXE via out-of-band channels, XXE-to-SSRF chains, and…
Security GuidesCSRF in 2026: Why SameSite Doesn’t Solve Everything
SameSite=Lax is the default; CSRF should be solved. It is not. SameSite=None for legitimate cross-site, GET-based state changes, subdomain CSRF, CORS misconfigurations,…
Tools & TutorialsNoSQL Injection: MongoDB, Elasticsearch, DynamoDB
NoSQL injection class — MongoDB operator injection ($ne, $where), Elasticsearch DSL injection, DynamoDB attribute injection, CouchDB MapReduce. Test workflow with NoSQLMap and…