Offensive Security
Remmy9
Offensive security research, exploits, and tradecraft. Real findings, real chains, real impact.
There's always a way in. The only question is how many layers you're willing to peel back. — Remmy
>_ Posts
view all → >_
JavaScript Dissected: P1 - Trees! Learn how JavaScript engines turn source code into Abstract Syntax Trees, why ASTs are the foundation of security tooling like Semgrep and CodeQL, and how parser differentials enable WAF bypasses. First in the JavaScript Internals series.
>_ Bypassing WAF, 403, and OTP to Exploit SQL Injection Bypassing WAF, 403 Forbidden, and OTP restrictions to exploit a blind SQL injection on a VDP program.
>_ My Therapist Said Tiny Problems Don’t Matter. These Vulnerability Chains Proved Me Wrong. Chaining multiple low-severity IDORs, broken access control, and token exhaustion into a data exfiltration chain.
>_ From alert(origin) to ATO, an XSS Story How a simple XSS discovery escalated to full account takeover through response manipulation and creative payload crafting.
>_ 403 Forbidden? No Problem, Here’s a POST XSS Bypassing 403 forbidden restrictions to deliver a POST-based XSS payload that led to a Bugcrowd bounty.