Web Pentest · 47 articles

Web Pentest

OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.

Tools & Tutorials

Race Conditions in 2026: Single-Packet Attacks with Turbo Intruder

James Kettle's 2023 single-packet attack made race conditions reliably exploitable. Coupon multi-redemption, OTP brute-force despite lockouts, voucher stacking — anonymised real findings.…

Apr 25, 2026 · 4 min read
Security Guides

IDOR: The Bug That Refuses to Die (And How to Find It)

IDOR is on half of Indian SaaS pentests. The taxonomy (sequential, UUID, path, body, header, mass assignment, indirect), the systematic test methodology…

Apr 25, 2026 · 4 min read
Cloud Security

SSRF Beyond AWS: GCP, Azure, On-Prem and DNS Rebinding

SSRF attack surface beyond AWS metadata — GCP and Azure metadata endpoints, on-prem internal services (Redis, Elasticsearch, Kubernetes API), DNS rebinding bypass,…

Apr 25, 2026 · 4 min read
Security Guides

OAuth 2.0 Attacks in 2026: Code Injection, PKCE Downgrade, JWT Issues

Modern OAuth attack surface — redirect URI manipulation, authorisation code injection, state parameter abuse, PKCE downgrade, JWT access token weaknesses, scope escalation.…

Apr 25, 2026 · 4 min read
Security Guides

SAML Attacks: Golden SAML, XML Signature Wrapping, SLO Abuse

SAML attack surface in 2026 — XML Signature Wrapping (XSW1-8), Golden SAML (SolarWinds technique), signature exclusion, comment injection, audience replay, SLO abuse.…

Apr 25, 2026 · 4 min read
Threat Intelligence

Spring4Shell (CVE-2022-22965): Why It’s Still Hitting Java in 2026

Spring4Shell was disclosed in March 2022. Vulnerable Spring still found in Indian enterprise audits in 2026, particularly legacy Java apps and vendor…

Apr 25, 2026 · 3 min read
Threat Intelligence

Server-Side Template Injection (SSTI) in 2026: Detection and Exploitation

SSTI test methodology — canary payloads for Jinja2, Twig, Smarty, Freemarker, Velocity, ERB, Razor. Where SSTI hides (email templates, error messages, report…

Apr 25, 2026 · 3 min read
Security Guides

XXE: External Entity Injection in 2026 — Where It Still Hides

XXE in 2026 — document upload (DOCX, SVG, RSS), SOAP APIs, SAML, RSS processors. Blind XXE via out-of-band channels, XXE-to-SSRF chains, and…

Apr 25, 2026 · 4 min read
Security Guides

CSRF in 2026: Why SameSite Doesn’t Solve Everything

SameSite=Lax is the default; CSRF should be solved. It is not. SameSite=None for legitimate cross-site, GET-based state changes, subdomain CSRF, CORS misconfigurations,…

Apr 25, 2026 · 2 min read
Tools & Tutorials

NoSQL Injection: MongoDB, Elasticsearch, DynamoDB

NoSQL injection class — MongoDB operator injection ($ne, $where), Elasticsearch DSL injection, DynamoDB attribute injection, CouchDB MapReduce. Test workflow with NoSQLMap and…

Apr 25, 2026 · 2 min read