public log

CHANGE
LOG

A running record of research findings, site updates, new writeups, and tool releases by Naveen Jagadeesan — Security Analyst & Researcher.

21
Writeups
4
Years Active
0
CVE / Bugs
Curiosity
2024
10 Dec
Vulnerability Writeup // severity: critical
OS Command Injection → Remote Code Execution

Chained OS command injection with privilege escalation to achieve full remote code execution on a production target. Includes payload crafting and post-exploitation notes.

Read writeup
2023
31 Oct
Vulnerability Writeup // severity: high
Business Logic Flaw → Free Subscriptions & 12% Discount

Abused flawed hotel booking logic to obtain subscriptions at $0 and trigger unauthorized discounts across booking flows.

Read writeup
13 Jul
Vulnerability Writeup // severity: critical
Mass Assignment Vulnerability → Full Database Dump

Leveraged mass assignment flaw to escalate privileges and exfiltrate the entire production database via crafted API payloads.

Read writeup
30 May
Vulnerability Writeup // severity: high
WAF Bypass → SQL Injection Database Dump

Bypassed multiple WAF rules in a financial app to exploit SQLi and exfiltrate the database. Includes bypass techniques and enumeration approach.

Read writeup
12 Apr
Vulnerability Writeup // severity: medium
Business Logic Error → Price Manipulation

Exploited price parameter tampering to purchase products and services below listed cost, bypassing server-side validation.

Read writeup
30 Mar
Vulnerability Writeup // severity: critical
Account Takeover via Session Storage Manipulation

Demonstrated full account takeover in a financial web app by exploiting weak session storage implementation and token reuse.

Read writeup
2022
15 Dec
Vulnerability Writeup // severity: critical
DLL Hijacking → Remote Code Execution (Business Automation App)

Discovered and exploited DLL hijacking in a widely-used business automation product, leading to persistent RCE on Windows targets.

Read writeup
09 Nov
Writeup
Pentester's Guide to Insecure Deserialization

Deep-dive reference guide covering insecure deserialization concepts, identification techniques, and exploitation across multiple frameworks.

Read writeup
10 Oct
Vulnerability Writeup // severity: high
IDOR → Unauthorized Access to Linked Bank Accounts

Exploited IDOR to access and enumerate other users' linked bank accounts in a fintech application with no authorization checks on object references.

Read writeup
2021
01 Jul
Vulnerability Writeup // severity: critical
API Misconfiguration → Mass PII Data Leakage

Identified API security misconfiguration leading to exposure of thousands of PII records with no authentication required on sensitive endpoints.

Read writeup
19 May
Vulnerability Writeup // severity: high
Time-Based SQL Injection → Database Dump

Exploited time-based blind SQLi to enumerate and exfiltrate the full database. Covers detection, manual exploitation, and automation with sqlmap.

Read writeup
08 May
Vulnerability Writeup // severity: high
Massive Subdomain Takeover via Subzy

Uncovered and responsibly disclosed a large-scale subdomain takeover vulnerability using automated enumeration with subzy across a large target's external attack surface.

Read writeup
10 Mar
Tool / Lab
iOS Pentesting Dynamic Analysis Lab Setup

Step-by-step guide to jailbreaking iPhone and configuring a full dynamic analysis environment for iOS application security testing.

Read guide
17 Feb
Vulnerability Writeup // severity: high
Account Takeover via Response Manipulation

Intercepted and manipulated server responses to bypass authentication logic and take over targeted user accounts.

Read writeup
08 Feb
Vulnerability Writeup // severity: medium
Reflected XSS on Public Bug Bounty Program

Discovered reflected cross-site scripting vulnerability in a public program, bypassing client-side filters via payload encoding.

Read writeup