Web Pentest
OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.
XXE: External Entity Injection in 2026 — Where It Still Hides
XXE in 2026 — document upload (DOCX, SVG, RSS), SOAP APIs, SAML, RSS processors. Blind XXE via out-of-band channels, XXE-to-SSRF chains, and…
Security GuidesCSRF in 2026: Why SameSite Doesn’t Solve Everything
SameSite=Lax is the default; CSRF should be solved. It is not. SameSite=None for legitimate cross-site, GET-based state changes, subdomain CSRF, CORS misconfigurations,…
Cloud SecurityAWS EC2 SSRF: How One Curl Command Becomes a Cloud Compromise
One missing input filter on a server-side request lets an attacker reach 169.254.169.254 from your EC2 instance. From that single curl: IAM…
Security GuidesSQL Injection in 2026: Why It’s Still in 40% of Indian Web Pentests
SQL injection has been on OWASP Top 10 since 2003. Modern variants — blind, time-based, second-order, NoSQL injection, ORM injection — still…
Tools & TutorialsJWT Attacks in 2026: alg:none, RS256-to-HS256, JWKS Injection — Still Working
JWT done with library defaults from 2017 is a privilege-escalation primitive. Seven attack variants — alg:none, RS256-HS256 confusion, weak HMAC, JWKS injection,…
Threat IntelligenceLog4Shell 4 Years Later: Why It’s Still in 15% of Indian Enterprise Audits
Log4Shell (CVE-2021-44228) was disclosed in December 2021. Four years on, 15-20% of Indian enterprise audits still find vulnerable Log4j. The bug, modern…
Tools & TutorialsBurp Suite Professional Workflow: How Senior Pentesters Actually Use It
Most engineers use Burp like a glorified intercepting proxy. Senior pentesters use it as a programmable workbench — macros, session-handling rules, Intruder…