Security on Shivasurya

CVE-2026-33186: Bypassing gRPC-Go Authorization with a Missing Slash

Wed, 01 Apr 2026 00:00:00 +0000

Some thoughts around Django SQL Injection CVE-2025-64459

Fri, 07 Nov 2025 00:00:00 +0000

Vulnerability Overview

Yesterday I came across this CVE-2025-64459 and I was bit skeptical about the severity of the issue as it was marked as critical. So I decided to do a deep dive into the issue and see if it was a real issue or not. Turns out it was a real issue only if you’re meeting the following conditions:

You’re using Django Affected versions
- >= 5.2a1, < 5.2.8
- >= 5.0a1, < 5.1.14
- < 4.2.26
Source: request.GET or request.POST dict

Claude Code for Security Analysis: Introducing SecureFlow CLI to Hunt Security Vulnerabilities

Fri, 03 Oct 2025 00:00:00 +0000

AI-Powered Security Vulnerability Hunting at Scale

SecureFlow CLI is an open-source agentic SAST security tool that uses AI-powered loops to autonomously hunt for vulnerabilities in codebases. Built on the same principles as Cline/Cursor/Windsurf/Claude-Code for Security Analysis, it leverages LLMs and tools to navigate code, gather context, and identify security issues.

Example: WordPress Plugin Scanning Results

The WordPress plugin ecosystem is often overlooked for security scanning despite serving millions of users. Scanning 600+ WordPress plugins with SecureFlow yielded impressive results:

CodeQL: Eindhoven Quantifier Notation

Tue, 10 Sep 2024 00:00:00 +0000

Introduction

Recently, I have been thinking about aggregate functionality design for Code PathFinder, opensource alternative to GitHub CodeQL. SQL aggregate functions such as SUM, AVG, MIN, MAX are combined with WHERE and GROUP BY to generate aggregate queries. However, I was wondering if there is a way to generate aggregate queries without using WHERE and GROUP BY. While going through CodeQL design research paper, I came across Eindhoven Quantifier Notation which is quite interesting, easy to understand and can be used to generate aggregate queries. This blog post will discuss about Eindhoven Quantifier Notation adopted by CodeQL.

Deep dive on Android Java / Kotlin Deserialization Code Execution with Semgrep Detection

Wed, 24 Jan 2024 00:00:00 +0000

Overview

In this post, we will explore code execution using Java & Kotlin Deserialization in Android Application. Additionally, We will discuss the Gadget Chain, Detection and Exploitation technique specific to Android. Achieving code execution in server side application via Java deserialization has higher chance of success than in client side android application. This is due to limitation of variety of loaded classes in android application. For instance com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is available in openJDK but not in Android JDK (but with modification). These limitation can be a blocker for loading arbitrary classes and executing payload (mostly compiled bytecode) in Android application. Well there are lot of deserialization vulnerabilities is published out there such as

Heap Two Writeup - Exploit Education Lab Exercise

Sat, 06 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap One, Heap Two exercise motive is to leverage buffer overflow and perform UAF (User-After-Free Vulnerability) that technically allows to re-use the allocated memory in the heap to control the program flow. Similar to gets in Heap Zero, strdup function is unsafe that doesn’t have bounds check, it accepts memory address to copy but doesn’t care about overwriting other declared struct variable in the heap region.

Heap One Writeup - Exploit Education Lab Exercise

Fri, 05 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap Zero, Heap One exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite struct in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared struct variable in the heap region.

Heap Zero Writeup - Exploit Education Lab Exercise

Fri, 28 Apr 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Heap Zero exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite function pointer in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in heap.

Format Four Writeup - Exploit Education Lab Exercise

Fri, 21 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Three Writeup - Exploit Education Lab Exercise

Fri, 14 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Two Writeup - Exploit Education Lab Exercise

Fri, 07 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format One Writeup - Exploit Education Lab Exercise

Fri, 31 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

CVE-2023-23397 - Zero Click Net-NTLMv2 Credential Hash Leak on Outlook Client

Sat, 25 Mar 2023 00:00:00 +0000

Quick Overview

Microsoft announced patch for CVE-2023-23397 which generally goes out usually on tuesday (Mar 14, 2023). This particular vulnerability caught my eyes due to the fact that I actively work on Active Directory based HackTheBox machines and this one is something similar to Android Application Exploits where attacker passes random url to activities or services and the outbound network connection often contains sensitive tokens attached to it.

IIRC, I reported a similar vulnerability in 2020 which completely leaks encrypted sandbox local files including e-mail, tasks in the ProtonMail Android Client reference However, it requires user interaction in the victim side of Android app.

HackTheBox Active Writeup - Active Directory - OSCP Practice

Fri, 17 Mar 2023 00:00:00 +0000

Quick Overview

Active is one of the easy Active Directory focused Windows Box from TJNull OSCP Practice list. It’s one of those easy machine where you get initial foothold via SMB Replication share leak & escalate privileges using Active Directory weakness.

Enumeration

NMapAutomator

Started with enumerating the target with NMapAutomator script since it helps in automating all possible ports with vulnerability scripts from nmap. Additionally, NmapAutomator can help in recon process using smbmap, ffuf, nikto, DNSRecon, SMB enumeration.

Format Zero Writeup - Exploit Education Lab Exercise

Fri, 10 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Stack Six Writeup - Exploit Education Lab Exercise

Sun, 26 Feb 2023 00:00:00 +0000

Previous Writeup:

If you’re learning and writing binary exploits, I would strongly recommend you to take Architecture 1001: x86-64 Assembly course by Xeno Kovah. They cover a wide variety of learning assembly instructions which will be really helpful to understand the exploits.

HackTheBox Jerry Writeup - OSCP Practice

Fri, 24 Feb 2023 00:00:00 +0000

Quick Overview

Jerry is one of the Windows Box from TJNull OSCP Practice list. It’s one of those quite easy machine where you get initial foothold & privilege escalation in a single hop.

Enumeration

NMapAutomator

HackTheBox OSCP Writeups - Shivasurya.me

Mon, 20 Feb 2023 00:00:00 +0000

Quick Overview

This blog post acts as Index of TJNull HackTheBox OSCP Practice list. I myself enjoyed solving all those HackTheBox VM and started writing writeups to help other folks out there striving hard to crack OSCP exam 🎮

Index

Closing Note:

I hope this post is helpful for folks preparing for Offensive Security Certified Professional certification exam. For bugs,hugs & discussion, DM in Twitter. Opinions are my own and not the views of my employer.

HackTheBox Bashed Writeup - OSCP Practice List

Tue, 14 Feb 2023 00:00:00 +0000

Quick Overview

Bashed Box is one of the Linux Box from TJNull OSCP Practice list. It’s one of those quite easy machine where you get initial foothold in one hop and privilege escalation in second hop.

Enumeration

NMapAutomator

Detecting Android WebView Vulnerable Configurations with Semgrep Rules - Part 1

Fri, 10 Feb 2023 00:00:00 +0000

Android WebView widget provides APIs that help developers seamlessly integrate webpage contents within Android application. Advancement in Webview & Chrome Custom Tabs lead to exponential growth in webview based mobile development platforms such as Ionic framework, JQuery Mobile, Adobe Phonegap later open-sourced as Cordova Project, React Native. However the race to capture the mobile development market, immature WebView APIs and lack of security guidance lead to multiple vulnerabilities and exploits. In today’s blog post, we’ll deep dive into multiple WebView vulnerability configurations and leverage semgrep to detect those configuration real time.

Stack Five Writeup (Code Execution) - Exploit Education Lab Exercise

Sat, 04 Feb 2023 00:00:00 +0000

Previous Writeup:

Stack Four Writeup - Exploit Education Lab Exercise

Sat, 28 Jan 2023 00:00:00 +0000

Previous Writeup:

Stack Three Writeup - Exploit Education Lab Exercise

Fri, 27 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack Two, Stack Three exercise motive is to smash the stack to modify other variables in the stack to a hex value and technically overwrite function pointer in the stack. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int *fp function pointer stays in main stackframe. This overwritten function pointer will be further used to invoke in later part of the program.

Stack Two Writeup - Exploit Education Lab Exercise

Thu, 26 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Stack Two exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x0d0a090a but receives the value from the environment variable ExploitEducation. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack One Writeup - Exploit Education Lab Exercise

Fri, 20 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup: Stack Zero Writeup - Exploit Education Lab Exercise

Quick Overview

Unlike Stack Zero, Stack One exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x496c5962. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack Zero Writeup - Exploit Education Lab Exercise

Thu, 12 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Quick Overview

Stack Zero exercise is based on stackoverflow memory corruption issue where you’ll have to smash the stack to modify other variables in the stack to achieve code execution, execution flow redirection or behaviour in the program. Technically, gets function is unsafe that doesn’t have bounds check basically, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Exploit Education Lab Setup - Windows & MacOS

Fri, 06 Jan 2023 00:00:00 +0000

Exploit.education binary exploitation exercise typically runs on ASLR (Address space layout randomization) disabled ubuntu based virtual machine with Data Execution Prevention turned off binaries. In order to setup the exploit.education lab, You’ll have to either use virtualbox or qemu based virtual machine emulator setup to easily test and debug the exercises.

Installation

For both MacOS and Windows, grab a copy of qemu emulator and follow the installation setup which is quite easy.

Binary Search and Hidden Overflow 🪲

Sun, 04 Dec 2022 00:00:00 +0000

Recently I was playing with overflow vulnerabilities help of exploit.education exercise which mostly covers basic heap, buffer overflow, use-after-free vulnerability patterns in a contained qemu based environment. However, I was searching for Integer overflow patterns and articles around it “how to succesfully convert a integer overflow into a remote code execution”. While reading through the vulnerability reports, I started exploring code snippets relevant to integer overflow and this blog post Nearly All Binary Searches and Mergesorts are Broken caught my eyes.

Detecting Android Content Provider APIs with Semgrep Rules

Mon, 28 Nov 2022 00:00:00 +0000

Content Provider is one of the powerful APIs which helps Android developers programmatically expose resource content within Android ecosystem via Intents. One could easily write those queries easily by extending the ContentProvider class and implementing those methods and accessing via URI (example: android://com.zoho.example/database/:_data). Though these Content Provider is a cupcake for developers, Unfortunately there are lot of vulnerabilities hidden within those APIs and with implementation part.

The main intent for writing this blog post were Semgrep and the recent blog post from project zero regarding Analysis of a Samsung in-the-wild exploit chain. I’ve been using semgrep for a while to tweak my findings instead of naive grep, CodeQL and the Samsung exploit chain may look trivial but how a simple permission bypass can affect system level apps in the Android phone. Later this year, I have added semgrep to my mobile pentesting suite which helps me to run these scripts over large Android projects, decompiled projects in automated way which pings me on Slack 🤖.

Cross-Site Scripting attack on Leetcode

Mon, 07 Dec 2020 00:00:00 +0000

Reflected XSS (Cross-Site Scripting) attack is my favorite vulnerability category as it’s relatively easy to exploit by checking for params as the source and rendering DOM as the sink.

Problem

The core problem of the Reflected Cross-Site scripting attack is appending the URL parameter values in the DOM without validation or filtering. Though the reflected XSS requires user interaction by visiting the page or clicking on links in real-life attacks, people should think about Iframe tags that don’t need any interaction to load them on other third party web pages.

Securing an ExpressJS server - Part 1

Thu, 05 Nov 2020 00:00:00 +0000

As Javascript programming language popularity increases, platforms have already started adopting it from native desktop apps, mobile, browser to server-side, giving rise to exciting frameworks, style guides, tools.

To JavaScript—you weren’t born with a silver spoon in your mouth, but you’ve outclassed every language that’s challenged you in the browser.

ExpressJS is not an exception that powers 2.31% of the top 1 million websites which runs on top of NodeJS and provides excellent features to develop web-based applications. So, let’s jumpstart with a few basics, and this particular series will cover a lot more aspects of securing, maintaining and deploying production-grade expressjs server.