Did you know that manipulating a single HTTP header can unlock high-impact security flaws hidden within a web application? HTTP headers control how browsers and servers interact with data, so thes...

How often have your exploits been blocked by firewalls or neutered by mysterious processes that alter key characters? This is why payload obfuscation is such a game-changing skill for offensive se...

HTTP fingerprinting is an invaluable way to discover the underlying technologies powering a web application. From analysing HTTP headers to performing malformed HTTP requests, these reconnaissance...

Ever wondered whether you ever missed a hidden subdomain that would have unlocked a critical vulnerability and a large bounty reward? In this article, you will discover how cutting-edge subdomain ...

Cross-Site Scripting (XSS) is a super-common vulnerability that infects a victim’s browser with malicious JavaScript code, which is then used to hijack the victim’s data or, in some cases, take ful...

This is a guide to performing white box penetration testing on a JavaScript web application running within a Docker container. In testing a web application vulnerable to prototype pollution, we wil...

This article explains how to perform white-box penetration testing on a Python web application running in a Docker container. In this white-box pentest, we will go through how to debug Python in VS...

This article explains some novel techniques for exploiting server-side template injections (SSTIs) with complex, unique payloads that leverage default methods and syntax from various template engin...

Having access to your target’s source code is obviously an invaluable advantage of white-box penetration testing. This article will help you leverage that benefit in the context of PHP application...

In this article, I will cover one of my favorite vulnerabilities of all time and the one that I spent over three months trying to exploit at one of the largest companies in the world (which I unfor...