web-security
4 posts
Article
CORS misconfiguration is consent, not an exploit
CORS misconfiguration explained at the mechanism level: origin reflection, null origin, broken allowlist matching, the credentialed-read exploit path, and why it stays invisible in telemetry.
Article
The agent reads the page and obeys
How Playwright-driven AI agents change the web's threat model: prompt injection, session hijacking, broken CAPTCHAs, and what to do this quarter.
Article
The storefront went dark by sundown
A merchandise site linked to Kash Patel went dark after allegedly serving malware. Operator breakdown of the control gaps that made takedown the only response.
Article
I built Burp Suite in Rust
Technical breakdown of an open-source Burp Suite alternative - proxy core, fuzzer, scanner depth, Collaborator gap, and what it means for vuln research.