rMy9
Home About Writeups

SYSTEM COMPROMISED.

REMMY9

Offensive Security Researcher & Bug Bounty Hunter.
READ WRITEUPS WHO AM I? 
    |\__/,|   (? \
  _.|o o  |_   ) )
-(((---(((--------
STATUS: HUNTING
About Me

I'm Remmy9. I dissect systems, break logic, and find vulnerabilities before the bad actors do.

With over 4 years of experience in offensive security, my playground ranges from complex web applications to obscure network protocols. When I'm not pwning boxes, I'm petting cats or drinking excessive amounts of caffeine.

Latest Writeups

View All
javascript Jun 20, 2026

JavaScript Dissected: P1 - Trees!

Learn how JavaScript engines turn source code into Abstract Syntax Trees, why ASTs are the foundation of security tooling like Semgrep and CodeQL, and how parser differentials enable WAF bypasses. First in the JavaScript Internals series.

Read More >>
sql-injection May 25, 2025

Bypassing WAF, 403, and OTP to Exploit SQL Injection

Bypassing WAF, 403 Forbidden, and OTP restrictions to exploit a blind SQL injection on a VDP program.

Read More >>
chaining May 25, 2025

My Therapist Said Tiny Problems Don’t Matter. These Vulnerability Chains Proved Me Wrong.

Chaining multiple low-severity IDORs, broken access control, and token exhaustion into a data exfiltration chain.

Read More >>
xss Feb 4, 2025

From alert(origin) to ATO, an XSS Story

How a simple XSS discovery escalated to full account takeover through response manipulation and creative payload crafting.

Read More >>
xss Oct 5, 2023

403 Forbidden? No Problem, Here’s a POST XSS

Bypassing 403 forbidden restrictions to deliver a POST-based XSS payload that led to a Bugcrowd bounty.

Read More >>