Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
2 posts ← reset filters
A comment in nebula-mesh's code confesses the design flaw: API trusts the bearer token for authorization. Here's why that breaks multi-tenant isolation, how to spot the pattern, and how to fix it before it becomes an incident.
A patched SSRF in Shopware’s uploadFromURL left a nearly identical endpoint exposed – here’s how the bypass works, why even HEAD requests matter, and how to keep your own APIs from suffering the same fate.