In God we trust; rest we test!

Detecting zero days in software supply chain with static and dynamic analysis

This blog shares some ideas about detecting zero-days in the software supply chain even before they get flagged by your typical Software Composition Analysis (SCA) or Dependency checking tools. Also shares the proof of concept code to detect malicious behavior using static and dynamic analysis techniques on third-party dependencies before the build process in CI/CD pipelines.

Stealing card details from contactless cards in seconds

This blog intends to demonstrate how easy it is for anyone with a NFC enabled camera phone to steal card details including CVV/CVC from contactless Credit/Debit/Prepaid cards in seconds.

Exploiting insecure file extraction in Python for code execution

Compressed file extraction with insecure code vulnerable to path traversal in Python can result in arbitrary code execution by overwriting

Exploiting deserialization bugs in Node.js modules for Remote Code Execution

Untrusted data passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

Server Side Template Injection in Tornado

This post explains Server Side Template Injection (SSTI) in Python tornado web framework.