RRenganathaninblog.rprotocols.com·Jun 16 · 6 min readGaining Unauthenticated Access to Google Cloud Partner Registry InformationDuring security research on an internal Google Cloud Platform environment, an unauthenticated API exposure was identified that allowed access to partner registry information without requiring a valid 00
SCSuny Choudharyinlangprotect.hashnode.dev·Jun 16 · 5 min readAI-SPM vs CSPM: What’s the Difference and Why Enterprises Need BothCSPM helped security teams understand where cloud infrastructure was exposed. But AI introduced a different problem. Now enterprises do not only need to know whether a storage bucket is public or an I20
TVThuriaanandh Vinthuriaanandh-sec.hashnode.dev·Jun 14 · 19 min readSQL Injection Labs (Portswigger)If you want a second reference alongside this, Rana Khalil's Web Security Academy series on GitHub covers these too and is worth a look once you've had your own "wait, why is this query failing" momen00
TVThuriaanandh Vinthuriaanandh-sec.hashnode.dev·Jun 14 · 14 min readI Broke CORS Three Times on Purpose (PortSwigger Academy Writeup)If you've ever stared at an Access-Control-Allow-Origin header and thought "yeah that looks fine," congratulations, you're exactly the kind of developer these labs are designed to humble. I just finis00
TVThuriaanandh Vinthuriaanandh-sec.hashnode.dev·Jun 13 · 6 min readPath Traversal: 6 Labs, 6 Times I Was Wrong Before I Was RightI just finished all six Path Traversal labs on PortSwigger's Web Security Academy, going from Apprentice to Practitioner level. Going in, I thought path traversal was simple — just throw ../../../etc/00
PGPratham Guptainblog.prathamgupta.info·Jun 8 · 11 min readHow Snyk Found the Security Gap Nobody Wanted to FixI've been digging into Snyk's story for a while, and what keeps pulling me back isn't the valuation or the funding rounds. It's the insight. Three founders looked at an industry full of security produ00
PRPaulo Rigonatoinpaulo-seg.hashnode.dev·Jun 1 · 5 min readWAF Bypass Testing: A Defensive Checklist for AppSec and Blue TeamsA WAF can reduce risk, but it should never be treated as the only security control between an attacker and an application. The most important WAF failures are often not caused by exotic payloads. They00
NKNivethitha Kumaraveluinnebulablogs.com·May 19 · 12 min readPipeline Security and Supply Chain Risk: Closing the Gap Between AppSec and CloudSecWorking in cloud security, I spend a lot of time thinking about the seams between systems: the places where one team's security coverage ends and another's begins. The gap I keep coming back to is CI/00
Kkristofprzybylakincyber-hunter.hashnode.dev·May 12 · 3 min readHow a Voucher Validation Flaw Led to More Than €10,000 in CreditThe Discovery The platform offered newly registered users a welcome voucher that could be redeemed for credit. At first glance, the implementation appeared secure. Manually modifying the visible vouch00
MNMilan Nikicinsecuritydepth.hashnode.dev·May 11 · 22 min readOS Command Injection: Security Architect's Perspective (Part 2)In Part 1 of this series, we cover OS command injection vulnerabilities from a developer's perspective. We looked at secure coding approaches with ProcessBuilder, whitelist-based validation strategies00
