Field Notes
Things I find while I dig in the trenches. Not polished papers — casual reports from the field.
- One Space Before a Colon — How a Malformed Header Bypassed CloudflareA single space before a colon in Transfer-Encoding was enough to desync Cloudflare from Apache and bypass WAF protection entirely.2026-01-14
- Any Account Taken Over in 7 Minutes — OTP Brute Force on a Web3 GameA critical vulnerability discovered during a Solana play-to-earn game audit: 6-digit OTP with zero rate limiting, allowing full account takeover in under 7 minutes.2026-03-26
- One Smuggled Request to Admin: Chaining CVE-2025-55315 with a Token Renewal FlawHTTP request smuggling on unpatched ASP.NET Core Kestrel combined with a missing issuer check on the token renewal endpoint — one free account, one smuggled request, full admin panel.2026-02-18
- From IDOR to Root Shell — How a Missing WHERE Clause Gave Up an Entire ServerA missing parameter binding in a Laravel raw query led to full server compromise: SQLi → LOAD_FILE .env → phpMyAdmin root → INTO OUTFILE webshell → RCE → private key.2026-01-28
- From '123456789' to Full Lightning Node ControlThunderHub's dev JWT secret left in production — one missing environment variable cascaded into full node compromise, permanent LND admin access, and a backdoor that survives remediation.2026-03-05