Learn about race conditions, their types, exploitation techniques, and mitigation strategies.

A brief story of how a Type Confusion vulnerability allowed privilege escalation in a real-world scenario.

Node.js Arbitrary File Upload to RCE Challenge Writeup Challenge Overview This challenge involved exploiting a vulnerable Node.js application with an insecure file upload endpoint. The vulnerabili...

In this challenge from AppSec Master, the goal was to exploit a Spring Expression Language (SpEL) injection to execute a command on the server and exfiltrate the content of the masterkey.txt file. ...

Overview This writeup covers a Remote Code Execution (RCE) vulnerability caused by unsafe deserialization using Python’s pickle module. The vulnerable web application was featured in AppSecMaster ...

Overview In this code review challenge on AppSecMaster, the task was to identify and exploit a vulnerability within a custom Node.js application. By carefully analyzing the code, I discovered a cl...

A step-by-step guide to reverse engineering and exploiting an exported Android AIDL-based bound Service from another app.

A short write-up on exploiting an Android Service vulnerability involving Messenger IPC and state management to retrieve a hidden flag.

🔍 Challenge Overview We’re given a bound Service called Flag26Service, which exposes a Messenger IPC interface using onBind(): @Override public IBinder onBind(Intent intent) { return this.mes...

A file upload endpoint accepted folder traversal sequences, enabling unauthorized file placement and abuse of signed Google Cloud Storage URLs.