Blog posts on security, static analysis, AI, and software engineering.
All
Active directory
Ai
Android
Android security
Binary exploit
Books
Client security
Cody
Cve
Django
Embeddings
Friday gems
Hackthebox
Llm
Neural networks
Nodejs
Openai
Oscp writeups
Overflow
Programming
Reading
Reflection
Reverse engineering
Sast
Security
Security reviews
Semantic search
Server
Sourcegraph
Static analysis
Thursday snack
Tooling
Vulnerability
Wrap
2026
CVE-2026-33186 - A path normalization flaw in grpc-go v1.79.2 and earlier allows attackers to bypass path-based authorization interceptors by omitting the leading slash.
2025
2025 Wrapped
Dec 20
Blog post about 2025 Wrap & Reflection
Some thoughts around Django SQL Injection CVE-2025-64459
Claude Code for Security Analysis: Introducing SecureFlow CLI to Hunt Security Vulnerabilities
Oct 3
AI-powered security scanning tool using agentic loops to hunt vulnerabilities - discovered 300+ issues in WordPress plugins with 12+ AI model support and DefectDojo integration.
Purely exploration blog post and thoughts around neural network
Explore a permission-based security model for MCP and Tool Calling in LLMs, inspired by Android's runtime permissions, to protect sensitive data while maintaining functionality.
Static Analysis Isn't Enough: Understanding Library Interactions for Effective Data Flow Tracking
Apr 17
Static analysis tools go blind without understanding library calls – learn why modeling them is critical for finding real security flaws.
Explore how Sherlock leverages Sourcegraph to automate security code reviews, enhancing productivity and ensuring robust code security.
Exploring the potential and challenges of LLM-assisted security reviews
A short blog post on how I leverage LLMs (AI) to streamline or assist my work
2024
2024 Wrapped
Dec 26
Blog post about 2024 Wrap & Reflection
Books I read in 2024
Dec 19
Books I read in 2024
This blog post will discuss about Eindhoven Quantifier Notation adopted by CodeQL
This blog post will discuss about semi-autonomous way to perform security code reviews
Defining Boundaries & Sinks for Inter-procedural Source Sink Analysis - Part 3
Code Execution via Java & Kotlin Deserialization in Android Application
2023
2023 Wrap - Year in Review
Dec 27
Blog post about 2023 Wrap & Reflection
Building Inter-procedural Source Sink Analysis from Scratch - Part 2
Building a simple source sink analysis in Java from scratch.
Discover how Cody AI, the magic AI Assistant, helped me seamlessly upgrade my web app from ArcGIS to Mapbox map, making it responsive for mobile users.
This blog post covers building a basic semantic search over a pdf document using OpenAI API and Python.
A comprehensive writeup that helps to understand Heap Two exercise heap buffer overflow and Use-After-Free (UAF) vulnerability with learning resources.
A comprehensive writeup that helps to understand Heap One exercise heap buffer overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Heap Zero exercise heap buffer overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand format-four exercise - format string vulnerability with learning resources.
A comprehensive writeup that helps to understand format-three exercise - format string vulnerability with learning resources.
A comprehensive writeup that helps to understand format-two exercise - format string vulnerability with learning resources.
A comprehensive writeup that helps to understand format one exercise format string vulnerability with learning resources.
A comprehensive writeup that helps to understand Zero Click Net-NTLMv2 Credential Hash on Outlook Client.
A comprehensive writeup on HackTheBox Active VM which helps learn and practice for OSCP Active Directory Track.
A comprehensive writeup that helps to understand Format Zero exercise format string vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack Six exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup on HackTheBox Jerry VM which helps learn and practice for OSCP.
A Index of HackTheBox OSCP Machine Writeups.
A comprehensive writeup on HackTheBox Bashed VM which helps learn and practice for OSCP.
Android Webview has multiple security configuration that may lead to security vulnerabilities. <br /> We'll take a deep dive into those webview configs, breakdown vulnerable configs and leverage semgrep to identify those pattern.
A comprehensive writeup that helps to understand Stack Five exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack Four exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack Three exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack Two exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack One exercise stack-overflow vulnerability with learning resources.
A comprehensive writeup that helps to understand Stack Zero exercise stack-overflow vulnerability with learning resources.
Basic exploit.education lab setup for memory corruption based security bugs
2022
Interesting post on integer overflow while performing a basic binary search
Content provider APIs are powerful way to expose data to internal or external apps within Android ecosystem. However, there are lot of ways these APIs are implemented with flaws that leads to serious data leakage and even Remote code execution.
2020
DOM Cross-Site Scripting attack on leetcode.com.
Strategies for securing expressjs server.