Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
3 posts ← reset filters
A new client-side JWT decoder catches subtle token flaws that jwt.io ignores. But securing JWTs is still a server-side problem. Here's the full picture from someone who's exploited these bugs in production.
A critical SQL injection vulnerability in Drupal core's database abstraction API affects all PostgreSQL-backed sites. Here's how it works, how to detect it, and what to do right now.
A deep dive into CVE-2025-11954, a CSRF vulnerability in WISECP with a CVSS score of 8. I break down how the attack works mechanically, why this 'old' class of vulnerability keeps showing up, and provide detailed defense strategies with production-ready code examples.