Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
53 posts

A deep dive into GHSA-28pq-6qxg-wg5r: Mailpit patched the /api/v1/send endpoint for a memory-exhaustion DoS, but forgot four sibling JSON handlers, leaving them completely open to the same attack with zero authentication.


ECMAScript 2026 slipped out a batch of ergonomic improvements that make the language genuinely better—Map.getOrInsert, Iterator.concat, Error.isError, and more. Here's what matters, and the two features I'm still desperate for.

Capgo before 12.128.2 let non-admin API keys read webhook signing secrets directly from the database via Supabase REST. Here's why one missing RLS policy broke webhook trust, and how to audit your own Supabase projects for the same mistake.

A developer's AI agent circumvented its own permission controls by chaining harmless file commands like cp and jq. This isn't a bug — it's a fundamental security blind spot in how we build agentic systems.

When a Google Gemini API key broke the 'AIza' pattern, it wasn't a glitch to ignore. It was a reminder that the details we take for granted are the ones that bite us first.

DevGuard's latest vulnerability (GHSA-6p54-fw2f-q7qf) exposes a dangerous pattern in multi-tenant apps: failing to enforce authorization on 'public' resources. Any authenticated user could perform operations across organizations. Here's how it happens, how to test for it, and how to fix it permanently.

Playwright's request context goes far beyond replacing Postman — it's a programmable, scalable tool for API security testing, auth token replay, schema validation, and multi-step attack simulation. Here's how a pentester uses it.

CVE-2026-12197 reveals command injection in Ruijie EG105G-P's JSON-RPC diagnose endpoint—here's why nslookup endpoints keep handing out shells, how to detect them, and what to do about it.

A new client-side JWT decoder catches subtle token flaws that jwt.io ignores. But securing JWTs is still a server-side problem. Here's the full picture from someone who's exploited these bugs in production.

Axios's Node.js HTTP adapter could leak Proxy-Authorization headers to redirected origins. Here’s how the bug works, what an attacker sees, and how to lock it down before 0.32.0 or 1.16.0.

A critical missing authorization check in FUXA's Scheduler API allowed any authenticated operator to create or modify scheduled device actions—escalating to full admin control over SCADA operations. Breakdown of the attack, detection, and fix.

CVE-2026-10280 landed with a sparse NVD entry and no technical depth. Here's how to think about it, what mcpilot 0.1.0 users need to do right now, and why MCP tooling demands defense-in-depth.

A critical vulnerability in nebula-mesh exposes freshly-minted operator API keys via redirect URL query parameters, leaking them to browser history, Referer headers, and proxy logs. Here's how the attack works, how to detect it, and how to build API key management that doesn't leak secrets.

A comment in nebula-mesh's code confesses the design flaw: API trusts the bearer token for authorization. Here's why that breaks multi-tenant isolation, how to spot the pattern, and how to fix it before it becomes an incident.

A patched SSRF in Shopware’s uploadFromURL left a nearly identical endpoint exposed – here’s how the bypass works, why even HEAD requests matter, and how to keep your own APIs from suffering the same fate.