Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
2 posts ← reset filters

A patched SSRF in Shopware’s uploadFromURL left a nearly identical endpoint exposed – here’s how the bypass works, why even HEAD requests matter, and how to keep your own APIs from suffering the same fate.
A missing input validation on M-Tix Cinema XXI's food ordering API let me increase my account balance by submitting negative quantities. No tools needed — just a browser.